IA612 Intrusion Detection and Prevention

IA612 Intrusion Detection and Prevention
IA612: Intrusion Detection and Prevention
St. Cloud State University
LAB-02: The Zeek (Bro) Network Security Monitor-Installation and Configuration
PART-01: How to Install Zeek (formerly Bro) NIDS on CentOS 8
A. Overview
This guide assumes you’ll be installing Zeek on CentOS 8, given how popular CentOS tends to be in the enterprise. However, the guide should work for any RHEL-based flavors of Linux. For Debian-based systems, there will be some modifications required, including using apt-get vs yum for installing Linux packages. Nothing that a search couldn’t help you figure out.
First, we’ll optimize CentOS to efficiently capture packets and then compile Zeek from source to start monitoring network traffic.
In this section, we’ll walkthrough following steps:
1. Enable the “network” service to apply network sniffing optimizations, including disabling NIC offloading functions to ensure Zeek sees full packet data and minimizes packet loss.
2. Setting interfaces to promiscuous mode to ensure all packets are captured and analyzed.
3. Install libmaxminddb to enable IP geolocation capability.
4. Build Zeek from source with optimizations.
5. Create a non-root Zeek user to minimize impact in the event that Zeek is compromised.
6. Deploy and run Zeek to start analyzing traffic.
7. Create a cron job to perform Zeek maintenance tasks.
B. Enable “network” service and disable NIC offloading functions
1. Install the network-scripts package.
sudo yum install network-scripts
2. Use ethtool to determine the maximum ring parameters for your sniffing interfaces. The example below assumes an interface named enp2s0.
sudo ethtool -g enp2s0 Ring parameters for enp2s0:
Pre-set maximums:
RX: 4096 RX Mini: 0
RX Jumbo: 0
TX: 4096
IA612 Intrusion Detection and Prevention
Current hardware settings:
RX: 256 RX Mini: 0
RX Jumbo: 0
TX: 256
3. As root/sudo, edit the /etc/sysconfig/network-scripts/ifcfg- file for each sniffing network interface and change or add the following lines. Respectively, each line will disable control from NetworkManager, disable DHCP, and add appropriate ethtool options. Note that after “rx” you want to enter the maximum ring parameter as determined in the step above.
NM_CONTROLLED=no
BOOTPROTO=none ONBOOT=yes
IPV6INIT=no
ETHTOOL_OPTS=”-G ${DEVICE} rx ; -K ${DEVICE} rx off; -K ${DEVICE} tx off; -K ${DEVICE} sg off; -K ${DEVICE} tso off; -K ${DEVICE} ufo off; -K ${DEVICE} gso off; -K ${DEVICE} gro off; -K ${DEVICE} lro off”
4. Your file should now look something like this.
TYPE=Ethernet
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no IPV6INIT=no
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
NAME=enp2s0
UUID=b22f5d92-3f1e-430b-b660-cb9376d8c0c0 DEVICE=enp2s0 ONBOOT=yes
PEERDNS=yes
PEERROUTES=yes USERS=root
NM_CONTROLLED=no
ETHTOOL_OPTS=”-G ${DEVICE} rx 4096; -K ${DEVICE} rx off; -K ${DEVICE} tx off; -K ${DEVICE} sg off; -K ${DEVICE} tso off; -K ${DEVICE} ufo off; -K ${DEVICE} gso off; -K ${DEVICE} gro off; -K ${DEVICE} lro off”
5. Still as root/sudo, enable the “network” service.
sudo systemctl enable network
6. Finally, restart the “network” service.
sudo systemctl restart network
C. Set sniffing network interfaces to promiscuous mode
1. As root/sudo, create /etc/systemd/system/promisc.service in your favorite text editor.
2. Add the following lines, assuming enp2s0 is your sniffing interface.
[Unit]
Description=Makes an interface run in promiscuous mode at boot
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/ip link set dev enp2s0 promisc on
TimeoutStartSec=0
RemainAfterExit=yes
[Install]
WantedBy=default.target
3. Save the file and run the following commands to make the changes permanent and start on boot.
sudo chmod u x /etc/systemd/system/promisc.service sudo systemctl start promisc.service sudo systemctl enable promisc.service
Created symlink from
/etc/systemd/system/default.target.wants/promisc.service to /etc/systemd/system/promisc.service.
4. Reboot your system and verify all the changes made thus far have persisted. Verify that PROMISC is listed in the network interface status.
ip a show enp2s0 | grep -i promisc
3: enp2s0: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
D. Install Zeek Dependencies
1. As root/sudo, edit /etc/yum.repos.d/CentOS-PowerTools.repo and set the “enabled” field to 1, to add the PowerTools repository. Your file should look something like this.

Place your order
(550 words)

Approximate price: $22

Calculate the price of your order

550 words
We'll send you the first draft for approval by September 11, 2018 at 10:52 AM
Total price:
$26
The price is based on these factors:
Academic level
Number of pages
Urgency
Basic features
  • Free title page and bibliography
  • Unlimited revisions
  • Plagiarism-free guarantee
  • Money-back guarantee
  • 24/7 support
On-demand options
  • Writer’s samples
  • Part-by-part delivery
  • Overnight delivery
  • Copies of used sources
  • Expert Proofreading
Paper format
  • 275 words per page
  • 12 pt Arial/Times New Roman
  • Double line spacing
  • Any citation style (APA, MLA, Chicago/Turabian, Harvard)

Our guarantees

Delivering a high-quality product at a reasonable price is not enough anymore.
That’s why we have developed 5 beneficial guarantees that will make your experience with our service enjoyable, easy, and safe.

Money-back guarantee

You have to be 100% sure of the quality of your product to give a money-back guarantee. This describes us perfectly. Make sure that this guarantee is totally transparent.

Read more

Zero-plagiarism guarantee

Each paper is composed from scratch, according to your instructions. It is then checked by our plagiarism-detection software. There is no gap where plagiarism could squeeze in.

Read more

Free-revision policy

Thanks to our free revisions, there is no way for you to be unsatisfied. We will work on your paper until you are completely happy with the result.

Read more

Privacy policy

Your email is safe, as we store it according to international data protection rules. Your bank details are secure, as we use only reliable payment systems.

Read more

Fair-cooperation guarantee

By sending us your money, you buy the service we provide. Check out our terms and conditions if you prefer business talks to be laid out in official language.

Read more

Order your essay today and save 30% with the discount code ESSAY