Con nuous Monitoring - Build a

World-Class Monitoring System

for Enterprise, Small Office or
Home
Dec 17, 2016
4 minute read

Overview
On December 15th, 2016 SANS
SANS published
published my
my gold
gold paper
paper which included recommendations for
Intrusion Detection System (IDS) setup and tips for efficient data collection, sensor placement,
identification of critical infrastructure along with network and metric visualization.

Based on feedback requesting step-by-step implementation, this blog post serves as a supplement to
the gold paper to implement continuous monitoring in your home. This post will also include specific
hardware recommendations and direct links for software download.

Ge ng Started

Hardware
First we’ll need to get a few pieces of hardware.

Hardware Description Cost

TAP or TAP or Switch that supports $179

Switch spanning Dualcomm-DCGS-
Dualcomm-DCGS-
1000Base-T
1000Base-T

Server Server
Server will run SELKS
SELKS–
SELKS See $0-2000+
below for minimum
requirements

Dual NIC Server should be equipped $46

Card with two ports. One for
management and another
for sniffing. NICs
available here
here

Management Network
Network switch
switch to separate $10-$400+
Switch your management network.

ISP Provided This is the DSL/Cable Monthly

Router modem provided by your Bill
internet provider

A few caveats:
All products with links are personal preference. I’m sharing the setup of my network, but feel free
to use replacements.
There are many ways to monitor network traffic. Network TAPs are the cleanest way to do it. The
recommended TAP above serves as a gigabit switch and can be powered by a USB. Choose a TAP
that suits you. In many cases, 100Mbps is okay, but may suffer from packet loss if the network
operates at greater speeds.
 It is possible to listen on the same interface that your management port is on (the port with an IP
address), but it is best to have a dedicated interface.
Per SELKS
SELKS Github
Github the minimal configuration for production usage is 2 cores and 4 Gb of memory.
As Suricata and Elastisearch are multithreaded, the more cores you have the better it is. Memory
is used by ElasticSearch for indexing network traffic. High traffic networks will require more
memory. I have 32GB on my sensor, of which 12-19GB is consistently in use. See Running
Running SELKS
SELKS
in
in production
production page for more info.

So ware
Next, we’ll need to download SELKS.

1. Download the SELKS

SELKS ISO. This will be installed on the server.

Our Goal
Gain network visibility into an enterprise, small office, or home network.

Here is an example of a network topology. The topology below may be more relevant toward a small
office, but we’ll use segments to emulate a home network. Many home networks may not have a switch
or firewall connected (not a bad idea to get one though!)

Setup
1. Create a bootable USB Thumbdrive with the SELKS ISO. If needed, assistance available herehere
2. Insert thumbdrive into server and boot. May need to set server to boot from USB in BIOS.
If all goes well, you should see SELKS boot menu. Pressing enter will lead you to the
graphical interface.
 Users booting from a thumbdrive may need to follow these additional steps.

1. At language prompt, Press ALT-f2

2. Type mkdir /cdrom
3. Type mount /dev/sdb1 /cdrom
Your parition name may not be sdb1. Use fdisk -l to list available partitions

4. Press Alt-F1 to return to the installation process and continue.

Default username and password is selks-user/selks-user and root is StamusNetworks

More information available at SciriusUsage

SciriusUsage

3. Login to server and assign a static IP address to eth1. For example, if your network uses the
192.168.1.0/24 range you can assign 192.168.1.250 to interface eth1 on your server.
4. Install your network TAP inline with your ISP provided router.
If using the recommended TAP you can use the following configuration:

Connected-
Port To Description

1 ISP Router Passes all home traffic through

to router

2 Switch or Plugin your switch or wireless

Wireless router. If you have multiple
Router wireless access points, plug
them into a switch, and plug
the switch into port 2.

5 Server Plug into the “sniffing port” on

your server. Eth0 is to set sniff
by default
Your server should now be collecting network traffic!

5. Login to your server via a web browser. https://server.assigned.ip.address

Tuning
Lastly, you’ll want to follow the tuning considerations on the SELKS
SELKS wiki
wiki page
page.
page

Recommendations on the page include:

1. Initial Setup
2. Tuning and Maintenance
 3. Data and Logs
4. Troubleshooting and Getting Help

If you don’t tune Elasticsearch or Suricata, the stack will eventually fail. Your server MUST be
configured or the availability will not be reliable.

Hope you found this guide helpful and if you have any questions, please post them in the comments
section below.

Special Thanks to Jason S. for providing the step-by-step USB mount steps