Suricata/Snorby multi-machine setup

Boredom and too many “junk” computers scattered around my home finally congealed into a small-scale IDS system.  I’ve been toying with the idea of setting up Suricata to see how it compares to Snort, but I wanted to prototype a scalable multi-node system.  I’ve done this in the past, but it’s been several years and ran Snort/Barnyard/ACID.  So this isn’t a new idea, but I’m thinking about scaling out more with SSH-tunnels between multiple “scanners” and the “mothership.”  Long-term the nodes would be all-in-one, low footprint plug-and-play units.

Here’s my initial idea - a poor-man’s version of my idea built from my existing home server running Xubuntu 14.04, a re-flashed router, and an old Intel Celeron desktop with a few extra old 10/100 NIC’s jammed in for good measure running Ubuntu 14.04.

Instead of running a span port off the router, I’m using a hard-wired tap based on AltSec.info’s instructions.  I built and installed one at my employer’s office to remove an old ethernet hub from the equation, which was causing performance issues by forcing the firewall to run 10Mb Half Duplex.  I’ll post some pictures of the build soon.

My biggest problems during the build are finding canned how-tos in building a setup using Ubuntu 14.04.  I’ve managed to adapt Ubuntu 12 versions but have run into some snags.  Once I get the whole process worked out, I’ll try to build a complete guide on setting it up.  I’m also thinking about building a turn-key image similar to Insta-snorby…someday.

Once the snow starts to fly, I’ll hopefully have a few more minutes to work on these projects.