On December 15th, 2016 SANS published my gold paper which included recommendations for Intrusion Detection System (IDS) setup and tips for efficient data collection, sensor placement, identification of critical infrastructure along with network and metric visualization.
Based on feedback requesting step-by-step implementation, this blog post serves as a supplement to the gold paper to implement continuous monitoring in your home. This post will also include specific hardware recommendations and direct links for software download.
First we’ll need to get a few pieces of hardware.
|TAP or Switch||TAP or Switch that supports spanning Dualcomm-DCGS-1000Base-T||$179|
|Server||Server will run SELKS – See below for minimum requirements||$0-2000+|
|Dual NIC Card||Server should be equipped with two ports. One for management and another for sniffing. NICs available here||$46|
|Management Switch||Network switch to separate your management network.||$10-$400+|
|ISP Provided Router||This is the DSL/Cable modem provided by your internet provider||Monthly Bill|
A few caveats:
- All products with links are personal preference. I’m sharing the setup of my network, but feel free to use replacements.
- There are many ways to monitor network traffic. Network TAPs are the cleanest way to do it. The recommended TAP above serves as a gigabit switch and can be powered by a USB. Choose a TAP that suits you. In many cases, 100Mbps is okay, but may suffer from packet loss if the network operates at greater speeds.
- It is possible to listen on the same interface that your management port is on (the port with an IP address), but it is best to have a dedicated interface.
- Per SELKS Github the minimal configuration for production usage is 2 cores and 4 Gb of memory. As Suricata and Elastisearch are multithreaded, the more cores you have the better it is. Memory is used by ElasticSearch for indexing network traffic. High traffic networks will require more memory. I have 32GB on my sensor, of which 12-19GB is consistently in use. See Running SELKS in production page for more info.
Next, we’ll need to download SELKS.
- Download the SELKS ISO. This will be installed on the server.
Gain network visibility into an enterprise, small office, or home network.
Here is an example of a network topology. The topology below may be more relevant toward a small office, but we’ll use segments to emulate a home network. Many home networks may not have a switch or firewall connected (not a bad idea to get one though!)
- Create a bootable USB Thumbdrive with the SELKS ISO. If needed, assistance available here
- Insert thumbdrive into server and boot. May need to set server to boot from USB in BIOS.
If all goes well, you should see SELKS boot menu. Pressing enter will lead you to the graphical interface.
Users booting from a thumbdrive may need to follow these additional steps.
- At language prompt, Press ALT-f2
- Type mkdir /cdrom
- Type mount /dev/sdb1 /cdrom
- Your parition name may not be sdb1. Use fdisk -l to list available partitions
- Press Alt-F1 to return to the installation process and continue.
Default username and password is selks-user/selks-user and root is
- More information available at SciriusUsage
- Login to server and assign a static IP address to eth1. For example, if your network uses the 192.168.1.0/24 range you can assign 192.168.1.250 to interface eth1 on your server.
- Install your network TAP inline with your ISP provided router.
- If using the recommended TAP you can use the following configuration:
Port Connected-To Description 1 ISP Router Passes all home traffic through to router 2 Switch or Wireless Router Plugin your switch or wireless router. If you have multiple wireless access points, plug them into a switch, and plug the switch into port 2. 5 Server Plug into the “sniffing port” on your server. Eth0 is to set sniff by default
- Your server should now be collecting network traffic!
- Login to your server via a web browser. https://server.assigned.ip.address
Lastly, you’ll want to follow the tuning considerations on the SELKS wiki page.
Recommendations on the page include:
1. Initial Setup 2. Tuning and Maintenance 3. Data and Logs 4. Troubleshooting and Getting Help
If you don’t tune Elasticsearch or Suricata, the stack will eventually fail. Your server MUST be configured or the availability will not be reliable.
Hope you found this guide helpful and if you have any questions, please post them in the comments section below.
Special Thanks to Jason S. for providing the step-by-step USB mount steps