{"id":795,"date":"2011-08-24T08:50:23","date_gmt":"2011-08-24T13:50:23","guid":{"rendered":"http:\/\/it.thelibrarie.com\/weblog\/?p=795"},"modified":"2011-08-24T08:50:23","modified_gmt":"2011-08-24T13:50:23","slug":"smooth-sec","status":"publish","type":"post","link":"https:\/\/it.thelibrarie.com\/weblog\/2011\/08\/smooth-sec\/","title":{"rendered":"Smooth-Sec"},"content":{"rendered":"

I’m a huge fan of free software. I’m not against compiling code, installing dependencies, or taking days to research fixes to my issues. So when I read about Phillip Bailey’s turnkey solutions, it makes me wonder how it’ll all work. Well, I’m here to say it DOES WORK WELL! Link to Bailey<\/a>.<\/p>\n

PBailey has released some snort-based turnkey solutions in the past (Snorby SPSA), but I really like the new solution SMooth-Sec.<\/p>\n

After installing the software on an older HP DL320 G3 (P4 3.4 with 2GB RAM and dual 80GB SATA) I mirror one port on eth0 to the primary on the core switch<\/p>\n

Switch#conf t
\nSwitch(config)#monitor session 1 source interface Fa0\/18
\nSwitch(config)#monitor session 1 destination interface Fa0\/2
\nSwitch(config)# <\/p><\/blockquote>\n

Eth1 is then setup with a static IP on the management side (for access).
\nAfter letting this sit for about 30 minutes – the updates are run every half hour – I find that the number of results per hour are in the hundreds of thousands. Ut oh, it’s killing the server with load averages over 9.00<\/p>\n

Edit out your external net<\/p>\n

nano \/etc\/suricata\/suricata.yaml<\/code>
\nFind “EXTERNAL_NET” and change from $ANY to !$HOME_NET
\nFind “threshold-file” and uncomment this line
\nSave and quit<\/p><\/blockquote>\n

Now I also have a couple nagios monitoring servers around the network that are constantly sending traffic. So I needed to add these servers to the exemption list for suricata.
\nnano \/etc\/suricata\/threshold.config<\/code><\/p>\n

suppress gen_id 1, track by_src, ip 192.168.0.253
\nsuppress gen_id 1, sig_id 366, track by_src, ip 192.168.0.252<\/p><\/blockquote>\n

It’s recommended to reboot the server after making changes.<\/p>\n","protected":false},"excerpt":{"rendered":"

I’m a huge fan of free software. I’m not against compiling code, installing dependencies, or taking days to research fixes to my issues. So when I read about Phillip Bailey’s turnkey solutions, it makes me wonder how it’ll all work. Well, I’m here to say it DOES WORK WELL! Link to Bailey. PBailey has released … Continue reading Smooth-Sec<\/span> →<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7,4],"tags":[],"class_list":["post-795","post","type-post","status-publish","format-standard","hentry","category-linux","category-networking"],"_links":{"self":[{"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/posts\/795","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/comments?post=795"}],"version-history":[{"count":1,"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/posts\/795\/revisions"}],"predecessor-version":[{"id":796,"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/posts\/795\/revisions\/796"}],"wp:attachment":[{"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/media?parent=795"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/categories?post=795"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/tags?post=795"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}