Step-by-Step Guide to Installing IDSTower on a Raspberry Pi 5

The Ultimate Home and Small Business Security Solution

C05348A3-9AB8-42C9-A6E0-81DB3AC59FEB
           

Boost your security on a budget! ️ Secure your home or small business with an affordable, efficient, and easy-to-deploy intrusion detection system using IDSTower on a Raspberry Pi. In an increasingly connected world, security is paramount—whether for your home network or a small business. Cyber threats are evolving daily, making it essential to implement proactive measures to safeguard sensitive data and maintain network integrity. Fortunately, setting up an intrusion detection system (IDS) doesn’t require expensive hardware or advanced technical expertise anymore. With the release of Raspberry Pi 5, you now have the power to install powerful security tools like IDSTower, a robust IDS solution, on a cost-effective, energy-efficient platform. This blog will walk you through a step-by-step guide to installing IDSTower on a Raspberry Pi 5 and explain why this setup is ideal for home users and small businesses.

cropped-favicon

What are Suricata and IDSTower?

Suricata is a high-performance, open-source network analysis and threat detection software used by most private and public organizations and embedded by major vendors to protect their assets.

IDSTower is a tool that simplifies the provisioning, configuration, and rules management for Suricata. DSTower adds user-friendly management interfaces, making it accessible for those who may not have extensive experience in cybersecurity. IDSTower includes a Free license for a single host, which works great for this project.

Hardware

Suricata is a high-performance network security tool designed for real-time intrusion detection (IDS), intrusion prevention (IPS), network security monitoring (NSM), and deep packet inspection (DPI). It analyzes network traffic in real-time to detect potentially malicious activity.

Analyzing packet captures in real-time requires CPU, but also a lot of memory. And with 8GB RAM and a 2.4GHz 64-bit Quad-core Arm Cortex-A76 Processor, the Raspberry Pi 5, Single Board Computer is up to the task!

harrison-broadbent-raLeFIxXgDY-unsplash

Installing IDSTower on a Raspberry Pi

Make sure that you use the latest up-to-date Operating system. At the time of writing, I used the 64-bit Raspberry Pi OS Lite (less is more!) based on Debian version 12 (bookworm).

Before you start, you'll also need to get a free IDSTower license.

You'll also need to open port 443 so that you can access the web UI after the installation is complete:

sudo apt install iptables-persistent
sudo iptables -I INPUT 1 -m state --state NEW -p tcp --dport 443 -j ACCEPT
sudo netfilter-persistent save

You'll also need to make sure that your network interface supports promiscuous mode, so that you can watch the traffic on your network:

iw phy phy0 info
netstat -i
sudo ip link set eth0 promisc on
sudo ifconfig eth0 -promisc

Installing IDSTower on a Raspberry Pi is very straightforward, I simply followed the instructions from Installation on Debian 12.1 (Bookworm).

Pay attention, and make sure there are no errors during the installation. At the end, the script will output the URL of the IDSTower Web UI, as well as the username and password generated for your configuration.

Configuring IDSTower on a Raspberry Pi

Keep following the installation instructions by creating your first cluster and configuring rules and indicators. I used the following settings:

  • IDS Software to Install  Suricata - Latest version (7) - official repository - (Internet Required)  
  • Logs Shipper Software to Install  Filebeat - Latest version (8) - official repository - (Internet Required) 

I chose the "IDS + NSM" Suricata settings because I want to observe the traffic on my local network, not just monitor this particular host. NSM stands for Network Security Monitoring.

Troubleshooting IDSTower/Suricata no rules loaded

My first surprise was to discover that my cluster was not loading any rules. Everything seemed healthy and all services were running, but no rules were loaded.

A bit of "googling" helped me find my first clue:

suricatasc -v
Unable to connect to socket /var/run/suricata-command.socket: L178: [Errno 2] No such file or directory

tail -f /var/log/idstower/heartbeat.log
==> /var/log/idstower/heartbeat.log <==
[2024-09-20T11:21:01-0700] [Info] ==================== IDSTower Heartbeat Script ====================
[2024-09-20T11:21:01-0700] [Info] Starting script...
[2024-09-20T11:21:04-0700] [Info] Getting suricata metrics...
[2024-09-20T11:21:04-0700] [Warning] socket file not found: /var/run/suricata-command.socket
[2024-09-20T11:21:04-0700] [Warning] No active Suricata socket file found, Suricata service might be stopped.
[2024-09-20T11:21:04-0700] [Warning] socket file not found: /var/run/suricata-command.socket
[2024-09-20T11:21:04-0700] [Warning] Can not obtain suricata metrics, active socket file not found:
[2024-09-20T11:21:04-0700] [Info] Sending heartbeat to IDSTower...
[2024-09-20T11:21:04-0700] [Info] Heartbeat sent successfully to IDSTower, API Response: {"success":true,"statusCode":0,"data":true}
[2024-09-20T11:21:04-0700] [Info] IDSTower Heartbeat finished.
[2024-09-20T11:22:01-0700] [Info] ==================== IDSTower Heartbeat Script ====================
[2024-09-20T11:22:01-0700] [Info] Starting script...
[2024-09-20T11:22:04-0700] [Info] Getting suricata metrics...
suricata -c /etc/suricata/suricata.yaml --dump-config | grep -e dir -e unix-

I guess the Debian Bookworm service is not configuring the suricata-command.socket in the location that the configuration file expects, it is in /var/run/suricata-command.socket instead of /var/suricata-command.socket. Also, because suricata runs as root, but IDSTower runs as the idstower user, there are also some permission issues.

To resolve this, run the following command:

sudo chgrp idstower /var/run/suricata-command.socket

In the IDSTower Web UI, edit the suricata.yaml file (your cluster, Configs, Advanced) and uncomment the "filename" line and replace it with the following:

unix-command:
enabled: auto
filename: /var/run/suricata-command.socket

Restart your cluster, and the rules should now be loading.

ElastiSearch Integration

I also chose the "Send Events to ElastiSearch (Version 2.0.0) option, hoping to be able to visualize my findings. However, I wasn't able to get ElastiSearch running on the Raspi, maybe it demands too many resources. I opted instead for a free Cloud-based option from Bonsai.io. However, at the time of writing, their version of ElastiSearch (Elasticsearch 7.10.2) isn't compatible with the IDSTower version of FileBeat Version 8.....

Conclusion

Installing IDSTower on a Raspberry Pi 5 provides a powerful, affordable, and energy-efficient way to secure your home network or small business from cyber threats. The combination of Raspberry Pi 5’s improved hardware and IDSTower’s robust intrusion detection capabilities makes this an ideal solution for anyone seeking an easy-to-manage, always-on security system.

Here is a breakdown of how Suricata works and its key components:

1. Traffic Capture and Analysis

At the core, Suricata works by capturing network traffic and analyzing the data in real time. It inspects packets at multiple layers, including:

  • Link Layer (Ethernet headers, etc.)
  • Network Layer (IP headers)
  • Transport Layer (TCP, UDP, etc.)
  • Application Layer (HTTP, FTP, SMTP, etc.)

Suricata uses network interface cards (NICs) in promiscuous mode to capture all traffic that flows through the network, not just the traffic directed at the device it is installed on.

2. Deep Packet Inspection (DPI)

Suricata doesn’t stop at just analyzing packet headers. It performs deep packet inspection (DPI), which allows it to examine the payload (content) of network packets, enabling the detection of application-level attacks like malware, phishing attempts, or file-based exploits.

  • Suricata parses many different protocols such as HTTP, DNS, SMB, FTP, TLS, etc.
  • It can decode and inspect network traffic for both known attack signatures and anomalous behaviors.
  • DPI is crucial for detecting malware hidden within file downloads or other forms of content.

3. Multi-Threading and High Performance

Suricata is designed to efficiently handle large amounts of traffic thanks to multi-threading. It can use multiple processor cores simultaneously to process and inspect network data, making it well-suited for high-speed and enterprise networks.

Suricata is capable of operating at speeds up to Gigabit and Terabit levels with the right hardware and configuration.

4. Signature-Based Detection

One of the primary detection methods Suricata uses is signature-based detection, where it compares captured network traffic against a database of predefined attack patterns, called "signatures" or "rules."

  • These signatures are often written in Snort-compatible rule syntax, which means it can use the vast library of signatures developed for the Snort IDS.
  • Rules can detect things like:
    • Known malware signatures
    • Port scanning attempts
    • Buffer overflow exploits
    • SQL injection attacks

A rule might look like this:

plaintextCopy codealert tcp any any -> 192.168.1.100 80 (msg:"Potential Web Attack"; content:"GET"; http_method; sid:1000001;)

This rule checks for HTTP GET requests sent to a web server at IP 192.168.1.100 on port 80.

5. Anomaly-Based Detection

In addition to signature-based detection, Suricata also supports anomaly-based detection. This technique involves creating a baseline of "normal" network behavior and then flagging deviations from that baseline as potential threats.

  • For example, if a device suddenly begins generating a large number of requests at odd hours or communicates with unusual IP addresses, it may trigger an alert.
  • This can help detect zero-day attacks or new threats that do not have predefined signatures.

6. Protocol Identification and Analysis

Suricata includes a powerful protocol recognition engine. Even if network traffic is using non-standard ports, Suricata can detect the protocol by inspecting the data. This feature, called Protocol Identification (IPP), allows Suricata to:

  • Recognize application protocols even when they are not running on their standard ports (e.g., HTTP traffic running on a non-standard port).
  • Analyze traffic at the application layer, identifying protocols such as HTTP, TLS, SSH, DNS, FTP, and many others.

7. Flow and Session Tracking

Suricata can track network "flows" (streams of related packets between two devices) instead of just analyzing individual packets. This helps it understand the state of a connection (e.g., a TCP connection) and detect complex attack patternsthat occur across multiple packets, such as:

  • TCP reassembly: Rebuilding fragmented TCP packets to fully inspect the payload.
  • File extraction: It can extract files transmitted via HTTP, FTP, or SMB for further analysis or file integrity checks.
  • TLS/SSL inspection: Suricata can inspect encrypted traffic and detect SSL/TLS protocol anomalies.

8. Logging and Alerts

Suricata generates detailed logs and alerts based on the rules and detections it encounters. It can log various types of network data, including:

  • Alerts: Immediate notification of rule-based detections (e.g., an exploit attempt).
  • Logs: Traffic logs, connection logs, protocol-specific logs (e.g., DNS, HTTP transactions).
  • PCAP files: Suricata can store raw packet data in PCAP format for later analysis.

Logs can be exported to external systems, including:

  • SIEM (Security Information and Event Management) systems for correlation and advanced analytics.
  • ELK stack (Elasticsearch, Logstash, Kibana) for powerful visualization of network data and security alerts.

9. Intrusion Prevention System (IPS) Mode

When configured in IPS mode, Suricata can actively block malicious traffic in addition to detecting it. Unlike passive IDS mode, where the system only alerts on potential attacks, in IPS mode, Suricata can:

  • Drop or reject suspicious packets or entire connections.
  • Use inline mode, where it sits between your network and the outside world, blocking threats before they can reach internal devices.

10. Scalability and Flexibility

Suricata is highly configurable and can be deployed in various network environments, from small home setups to large enterprise infrastructures. Its flexibility includes:

  • Distributed deployments: Suricata can be deployed across multiple nodes to monitor different parts of the network and send the results to a centralized server.
  • Integration: Suricata integrates with other tools such as threat intelligence platforms, antivirus systems, and endpoint detection systems.

Summary

In essence, Suricata works by capturing and inspecting network traffic at multiple layers (link, network, transport, and application), using both signature-based and anomaly-based detection techniques to identify threats. Its multi-threading capabilities allow it to handle large amounts of traffic efficiently, and it provides various logging, alerting, and prevention mechanisms. Whether deployed as an IDS or IPS, Suricata is a powerful tool for monitoring, detecting, and preventing network-based attacks in real time.

Posted Comments: 0

Tagged with:
CyberSecurity linux