[Archive 1.0] 2. Snort - mata-elang-stable/MataElang-Platform GitHub Wiki

Back to HOME

• Prerequisite
• Configure Promiscuous Mode
• Install Snort
• Start Snort

Prerequisite

• Ubuntu 18.04.6 LTS installed and updated by sudo apt update && sudo apt -y upgrade command.
• Time Zone and NTP already set.
• Docker 20.10.11 or later installed and ready.

Configure Promiscuous Mode

1. Install ifupdown package.

sudo apt -y install ifupdown

• DO NOT use netplan because it does not support promiscuous mode.

2. Configure network settings.

sudo nano /etc/network/interfaces

• Don't forget to change eth1 and eth2 to the actual NIC name. To see the actual NIC name, use ip a command.
• In the above model case, eth1 (0.0.0.0/0) is connected to the network tap and set promiscuous mode, while another eth2 (172.16.2.24/24) is connected to Defense Center.

auto eth1
iface eth1 inet manual
  address 0.0.0.0/0
  up ip link set eth1 promisc on
  down ip link set eth1 promisc off

auto eth2
iface eth2 inet static
  address <IP_address/netmask_of_eht2 (e.g. 172.16.2.24/24)>

3. Restart networking service and confirm the service is active.

sudo systemctl restart networking

systemctl status networking

Install Snort

4. Make clone of Mata-Elang-Stable/sensor-installer from GitHub.

cd ~

git clone https://github.com/Mata-Elang-Stable/sensor-installer

5. Install and setup Snort.

cd sensor-installer

chmod +x setup.sh
chmod +x update-rule.sh

sudo ./setup.sh

• Press Enter for using default settings.

Configuration	Sample	Description
Protected Subnet	172.16.1.0/24	Protected network address.This is same as "$HOME_NET" of Snort.
External Subnet	any (default)	External network address.
MQTT Topic	snoqttv5 (default)	Use Default setting.
Mosquitto (MQTT Broker) IP	172.16.2.30	IPv4 address of MQTT in Defense Center
Mosquitto (MQTT Broker) Port	1883 (default)	Use Default setting.
Device ID	sensor_001	Sensor ID
Network Interface	eth1	NIC connected to the network tap
Company	PT.ABC	Your company or organization
What kind rules do you want to use?	2. Registered	Snort rule you prefer to use. Community or Registered.
Oinkcode	9b58xxxxxb4a8	Download key associated with your snort account

Start Snort

6. Start mataelang-snort and confirm the service is active.

sudo systemctl start mataelang-snort

systemctl status mataelang-snort

Next Step >>