I’m a huge fan of free software. I’m not against compiling code, installing dependencies, or taking days to research fixes to my issues. So when I read about Phillip Bailey’s turnkey solutions, it makes me wonder how it’ll all work. Well, I’m here to say it DOES WORK WELL! Link to Bailey.

PBailey has released some snort-based turnkey solutions in the past (Snorby SPSA), but I really like the new solution SMooth-Sec.

After installing the software on an older HP DL320 G3 (P4 3.4 with 2GB RAM and dual 80GB SATA) I mirror one port on eth0 to the primary on the core switch

Switch#conf t
Switch(config)#monitor session 1 source interface Fa0/18
Switch(config)#monitor session 1 destination interface Fa0/2
Switch(config)#

Eth1 is then setup with a static IP on the management side (for access).
After letting this sit for about 30 minutes – the updates are run every half hour – I find that the number of results per hour are in the hundreds of thousands. Ut oh, it’s killing the server with load averages over 9.00

Edit out your external net

nano /etc/suricata/suricata.yaml
Find “EXTERNAL_NET” and change from $ANY to !$HOME_NET
Find “threshold-file” and uncomment this line
Save and quit

Now I also have a couple nagios monitoring servers around the network that are constantly sending traffic. So I needed to add these servers to the exemption list for suricata.
nano /etc/suricata/threshold.config

suppress gen_id 1, track by_src, ip 192.168.0.253
suppress gen_id 1, sig_id 366, track by_src, ip 192.168.0.252

It’s recommended to reboot the server after making changes.