This project involves the implementation of a Network Intrusion Detection System (NIDS) and Host Intrusion Detection System (HIDS) using Wazuh and Suricata. The setup includes active response and file integrity checking to enhance security and detect potential threats efficiently.
- System Vulnerability Checker: Scans and identifies system vulnerabilities.
- File Integrity Check: Monitors and reports changes to files.
- Network Intrusion Detection System (NIDS): Utilizes Suricata and emerging threats rule sets to detect network-based attacks.
- Host Intrusion Detection System (HIDS): Employs the Wazuh agent to monitor host activities and detect suspicious behaviors.
- Active Response: Automatically responds to detected attacks to mitigate potential damage.
- Wazuh: For HIDS and log monitoring.
- Suricata: For NIDS.
- Docker: To containerize and deploy the Wazuh components.
- Emerging Threats: For Suricata rule sets.
- Ubuntu Servers: As the host operating system.
- Ubuntu Server installed on all involved machines.
- Docker installed on the Ubuntu Server.
-
Install Docker on your Ubuntu server:
sudo apt-get update sudo apt-get upgrade sysctl -w vm.max_map_count=262144 curl -sSL https://get.docker.com/ | sh systemctl start docker curl -L "https://github.com/docker/compose/releases/download/v2.12.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose chmod +x /usr/local/bin/docker-compose docker-compose --version
-
Pull the Wazuh Docker image and run it (single-node or multi-node configuration):
git clone https://github.com/wazuh/wazuh-docker.git -b v4.7.5 cd wazuh-docker/single-node docker-compose -f generate-indexer-certs.yml run --rm generator docker-compose up -d- Configure ossec.conf file to detect file integrity checks, and vulnerability checks, and log all possible logs in JSON and normal log format.
- Configure the file to enable active response. You can create your own rule sets and active response sets. For this demo, I am using Brute force ssh login schema
-
Install Suricata:
git clone https://github.com/nn-df/suricata-installation.git cd suricata-installation sudo bash suricata.sh -
Configure Suricata to read rules from the Emerging Threats library:
cd /tmp/ && curl -LO https://rules.emergingthreats.net/open/suricata-6.0.8/emerging.rules.tar.gz sudo tar -xvzf emerging.rules.tar.gz && sudo mv rules/*.rules /etc/suricata/rules/ sudo chmod 640 /etc/suricata/rules/*.rules
-
Configure suricata setting to read the rule sets:
HOME_NET: "<UBUNTU_IP>" EXTERNAL_NET: "any" default-rule-path: /etc/suricata/rules rule-files: - "*.rules" # Global stats configuration stats: enabled: Yes # Linux high speed capture support af-packet: - interface: your capture card id
-
Install and configure the Wazuh agent to get logs from Suricata:
By using the add agent feature in Wazuh dashboard, add the machine to agent listConfigure the agent by editing the
/var/ossec/etc/ossec.conffile to include Suricata log paths.
- Prepare an attack box to test the system's efficiency and response capabilities. This can be done using Kali Linux or any other preferred penetration testing distribution.
- Monitoring: Access the Wazuh dashboard to monitor the system's status, check alerts, and review logs.
- Active Response: Configure active responses in Wazuh to automate defensive actions when an attack is detected.
- File Integrity: Review file integrity reports to detect unauthorized changes.
- File integrity check
- Suricata Log on excessive transmissions
- Suricata log on Nmap Scan
- System vulnerability Checker
- Checking for audits
- Detecting brute force ssh attack from attack box on the ubuntu server.
This project is an Intrusion Detection System (IDS) that captures and analyzes network packets to detect suspicious activities. It uses various techniques to identify anomalies, log them, and report them to a remote server.
- Test Overview
- Installation
- Usage
- Configuration
- File Descriptions
- License
- Work in Progress
- Contact Me
For testing purposes, I have used the canary token to generate a test URL generating requests
-
Clone the repository:
git clone https://github.com/Akito7011/IDS-with-docker.git cd IDS-with-docker -
Install the required dependencies:
pip install -r requirements.txt
-
Set up environment variables:
- Create a
.envfile in the root directory. - Add the following environment variable:
SERVER_URL=your_server_url_here
- Create a
-
Configure the IDS:
- Edit the
config.pyfile to set your network interface and log file.
- Edit the
-
Run the IDS:
python main.py
Configuration is managed through the config.py file and .env file.
config.py:import os from dotenv import load_dotenv import netifaces load_dotenv() SERVER_URL = os.getenv('SERVER_URL') INTERFACE = "\\Device\\NPF_" + str(netifaces.gateways()['default'][netifaces.AF_INET][1]) LOG_FILE = 'ids.log'
SERVER_URL: URL of the server to report suspicious activities.INTERFACE: Network interface to capture packets.LOG_FILE: File to log suspicious activities.
-
config.py: Configuration file that loads environment variables and sets network interface and log file.
-
main.py: Entry point of the IDS. Initializes and starts packet capture.
-
packet_processing.py: Contains the
IDSclass responsible for packet capture, filtering, and analysis. -
server_communication.py: Handles communication with the remote server. Defines
PacketandServerCallclasses. -
suspiciousActivity.py: Contains functions to check for suspicious activities, unusual ports, unusual traffic, protocol violations, and failed connections.
-
utils.py: Utility functions. Currently includes a function to check if an IP address is private.
This project is licensed under the MIT License. See the LICENSE file for details.
If you have any questions, or suggestions, or just want to connect, feel free to reach out to me through the following channels:
I appreciate your interest, and I look forward to connecting with you!