Nvidia Jetson IDS Sensor
Boost your security on a budget! ️ In this post, we'll guide you through building your own low-cost intrusion detection system (IDS), perfect for small businesses or home use. We'll be using an Nvidia Jetson Nano, but don't worry – if you have a Raspberry Pi lying around, it'll work too with just a few tweaks!
The hardware I used for this build is listed below, I wanted to keep the cost down and utilize open source software for the build.
Hardware
- Nvidia Jetson Nano
- 512 Memory card
- 4Gb Ram
- 1Gb onboard NIC
- USB 1GB NIC
Software
- Ubuntu 20.04.6 LTS
- Suricata 7.0.3
- IDSTower 2.5.2
Network Setup
The network configuration involved designating the onboard NIC as the Intrusion Detection System (IDS) interface and the USB connection as the management interface. Unfortunately, the chosen USB interface lacked the capability to operate in promiscuous mode, thereby preventing traffic sniffing.
eth0 - IDS interface
eth1 - Management Interface (USB)
Interface Configuration
While Ubuntu 20.04.6 leverages Network Manager by default, this project employs Netplan alongside YAML configuration files for a consistent and manageable network setup. However, as Netplan currently lacks direct support for promiscuous mode functionality, a custom script was implemented to activate when the interface comes up.
Install netplan.io
Configuration of the network will be handled through netplan, depending on how you installed Ubuntu 20.04 netplan might not have been installed.
To install Netplan use the following commands.
thetechnerd@server01:~$ sudo apt install netplan.io
Here is the yaml file I used to configure the interfaces
thetechnerd@server01:~$ sudo cat /etc/netplan/00-installer-config.yaml
network:
version: 2
renderer: NetworkManager
ethernets:
eth0:
dhcp4: false
eth1:
dhcp4: trueAs mentioned above netplan isn’t able to set the interface to promiscuous mode so we use the following script that we created under the NetworkManager dispatcher directory.
thetechnerd@server011:~$ sudo vi /etc/NetworkManager/dispatcher.d/30-promisc #!/bin/bash if [ "$1" == "eth0" ] && [ "$2" == "up" ]; then ip link set "$1" promisc on fi
Once we save the file we need to make it executable.
thetechnerd@server011:~$ sudo chmod +x 30-promisc
Reboot the system to make sure that the network interfaces come up correctly.
thetechnerd@server01: ifconfig
eth0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST data-preserve-html-node="true" data-preserve-html-node="true" data-preserve-html-node="true"> mtu 1500
inet 169.254.135.194 netmask 255.255.0.0 broadcast 169.254.255.255
inet6 fd9e:f804:ca9e:4c56:4ab0:2dff:fec1:5605 prefixlen 64 scopeid 0x0
inet6 fe80::4ab0:2dff:fec1:5605 prefixlen 64 scopeid 0x20<link>
ether 48:b0:2d:c1:56:05 txqueuelen 1000 (Ethernet)
RX packets 272931795 bytes 261894644993 (261.8 GB)
RX errors 0 dropped 6128 overruns 0 frame 0
TX packets 1955 bytes 147230 (147.2 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 151 base 0xa000</global>
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST data-preserve-html-node="true" data-preserve-html-node="true" data-preserve-html-node="true"> mtu 1500
inet 192.168.x.x netmask 255.255.255.0 broadcast 192.168.x.255
inet6 fe80::9eeb:e8ff:fe13:484b prefixlen 64 scopeid 0x20
inet6 fd9e:f804:ca9e:4c56:34c4:cee3:909d:71ad prefixlen 64 scopeid 0x0
inet6 fd9e:f804:ca9e:4c56:649c:b61d:914a:b5ac prefixlen 64 scopeid 0x0<global>
inet6 fd9e:f804:ca9e:4c56:5e3e:ebcb:9cbc:d7fc prefixlen 64 scopeid 0x0<global>
inet6 fd9e:f804:ca9e:4c56:9eeb:e8ff:fe13:484b prefixlen 64 scopeid 0x0<global>
ether 9c:eb:e8:13:48:4b txqueuelen 1000 (Ethernet)
RX packets 26614466 bytes 7013007133 (7.0 GB)
RX errors 0 dropped 11528182 overruns 0 frame 0
TX packets 837954 bytes 405771389 (405.7 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0IDSTower Installation
Following the above install instructions we will install IDSTower on the IDS Sensor, after testing this setup for some time now if you aren’t running a lot of memory then it would be advisable to install IDSTower on another system.
Add the IDSTower Repository
thetechnerd@server01:~$ sudo wget -qO - [https://download.idstower.com/repos/apt/idstower.key][0] | sudo apt-key add - thetechnerd@server01:~$ echo "deb [arch=amd64,arm64] [https://download.idstower.com/repos/apt][1] stable main" | sudo tee /etc/apt/sources.list.d/idstower.list thetechnerd@server01:~$ sudo apt-get update
Install IDSTower from the repository
thetechnerd@server01:~$ sudo apt install idstower -y
Enable the MariaDB service and verify its status
thetechnerd@server01:~$ sudo systemctl enable mariadb.service thetechnerd@server01:~$ sudo systemctl start mariadb.service thetechnerd@server01:~$ sudo systemctl status mariadb.service
Secure the Database
This step isn’t required but is a good idea, run the sql secure installation script to help secure your database
thetechnerd@server01:~$ sudo /usr/bin/mysql_secure_installation
Create the DB User
Login to MariaDB, create a database user and grant them access to the database
thetechnerd@server01:~$ sudo mariadb $GRANT ALL ON _._ TO 'USERNAME'@'localhost' IDENTIFIED BY 'PASSWORD' WITH GRANT OPTION; $ FLUSH PRIVILEGES; $ exit
Setup IDSTower settings
Now edit the appsettings.json file for IDSTower, you will want to add your license key, urls to access IDSTower and database information.
thetechnerd@server01:~$ sudo vi /opt/idstower/appsettings.json
{ //Your License Key
"LicenseKey": "<license key="">",
"Hosting": {
//Your idstower hosting url, examples:
//Note: IDS Hosts will use this url to access IDSTower API, Please make sure this url is accessible from IDS Hosts
// if you use <a href="http://localhost">http://localhost</a> or <a href="http://127.0.0.1">http://127.0.0.1</a>, then IDS Hosts won't be able to send heartbeats or update rules
// <a href="http://idstower.mydomain.local">http://idstower.mydomain.local</a>
// http://<strong><em>IDSTower IP Address</em></strong>
//
"URL": "<a href="http://192.168.x.x">,
//(optional), only required when using https URL
"Certificate": {
"Path": "", //path to .pfx file,
"Password": "" //certificate password
}
},
// Database Settings
"Database": {
//MySQL Database host FQDN/IP Address
"Host": "localhost",
//MySQL Database port
"Port": 3306,
//Database Name
"Name": "IDSTower",
//Database User
"Username": "<USERNAME>",
//Database Password
"Password": "<PASSWORD>"
},
"Logging": {
//Logfile location
"LogFile": "/var/log/idstower/idstower.log",
//Log Level
//possible values: Fatal, Error, Warning, Information, Debug, Verbose
"LogLevel": "Information"
}
}Initialize the Database
Change the directory to the idstower directory and initialize the database.
thetechnerd@server01:~$ cd /opt/idstower/ thetechnerd@server01:~$ sudo ./IDSTower --init-database
Create IDSTower Admin User
Create an admin user that you will login to IDSTower with.
thetechnerd@server01:~$ sudo ./IDSTower -a <USERNAME>
Allow IDSTower to write logs
Grant the idstower user access to the logs directory
thetechnerd@server01:~$ sudo chown -R idstower:idstower /var/log/idstower/*
Enable & Start Services
The final step is to enable the idstower service, start it and verify it is running.
thetechnerd@server01:~$ sudo systemctl enable idstower.service
thetechnerd@server01:~$ sudo systemctl start idstower.service
thetechnerd@server01:$ sudo systemctl status idstower.service
● idstower.service - IDSTower Service
Loaded: loaded (/lib/systemd/system/idstower.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2024-02-10 16:33:11 MST; 19h ago
Main PID: 3780941 (IDSTower)
Tasks: 32 (limit: 4171)
Memory: 792.9M
CGroup: /system.slice/idstower.service
├─1222697 python3 /usr/bin/ansible-playbook --tags start -u thetechnerd --private-key ~/.ssh/id_rsa_idstower_cluster_2024020901291375 -i 192.168.x.x, --extra-vars ansible_port=2>
└─3780941 /opt/idstower/IDSTower -rIDSTower Initial Cluster Setup
First Login
Once you are logged in for the first time you will want to add a new cluster to IDSTower, you will deploy the Suricata software using IDSTower.
To create a new cluster click on the “Add New Cluster” button
The cluster creation wizard will start and guide you through the installation.
Enter all of the required information:
- Cluster Name - A unique name
- Choose a Repository - I used the official Suricata Repository but if you have your own you can choose that here.
- IDS Software to Install - Choose the option that best suits your needs, I use the Latest on Official
- LogShipper to Install - If you want IDSTower to install something such as Filebeat you can choose it here. If you want to perform this task later or have an unsupported log shipper you can choose None
- Target Hosts - Add the IP for FQDN of the systems you want to install too.
- SSH User Account - The software is installed over SSH, you will need to provide an account that has permissions to install software.
Everything else can be left as default unless you have ssh running on a non-standard port.
Suricata settings
When the Hosts verification check passes, you will move to the IDS settings page, first you will need to select a Configuration Profile that best fit your IDS deployment.
Then, you need to select the NIC port(s) for the Suricata IDS to monitor.
Next, set your company/network IP ranges, one per line, in CIDR format (eg: 10.0.0.0/8), this will help your IDS perform better and will give your rules better context on where to look for attacks (egress/ingress) which can reduce false positives.
Click the Next button to continue
If you chose to install Filebeats the next page will allow you to enter the settings for Filebeats. This is out of scope for this document but here are the instructions.
Once all of the settings are entered and the software has been deployed to the server, you will want to start the Suricata services.
Whe the services start you will see something similar to the below screenshot.
When all of the services are up and running it's time to add rules to the cluster.
Enable the rules that you want to send to the cluster, IDSTower utilizes several feeds, some that are free and a few that are paid for. You can also add in custom feeds for rules that you want to deploy from a custom repository.
Go to Settings -> Feeds
To enable a feed just click on “Disabled” and switch it to “Enabled”, this will enable a feed that will have several rules as a part of the collection. Keep in mind that the more feeds you enable the more rules the server will load which will affect the system resources and alerts that come out of the system.
Now that you have decided on and enabled the feeds you want to utilize the next step will be to fine tune which rules you actually care about.
On the left side of the management page you will see rules, click on this option to bring up the rules management page.
Here you can search for specific rules or go through each rule. If you find that there are rules that you don’t care about or that are too noisy you can disable them here.
Note** When you delete rules they will come back and be redeployed to the server if you don’t want this to happen, get in the habit of disabling rules. Even when updates are downloaded they will stay in a disabled state and won’t be deployed to the server.
Another side note when tuning rules, find several rules at once that you want to disable and do this process in batches otherwise you will be sending lots of commands to the server which can drive up cpu and memory.
Alerts
So what do we do with the alerts once the system is up and running, it isn't very effienct to triage alerts using the log file that Suricata produces. Sending logs to a Siem is the best way to review and triage alerts but the setup can be complicated enough to warrant its own blog. Stay tuned for an upcoming blog where I talk about setting up a Siem and send the alerts to that system.
