I have never gotten a full intrusion detection system (IDS) working correctly on a Raspberry Pi. The two most popular – Snort and Bro IDS – either have problems with their dependencies or the ARM architecture.
I recently came across PSAD – the Port Scan Attack Detector. It is essentially a collection of daemons that analyze
iptables logs to identify patterns of malicious traffic. When used in conjunction with fwsnort, PSAD can also correlate blocked traffic with many of the "Emerging Threats" Snort rules.
PSAD was extremely easy to set up on a Raspberry Pi that's deployed as a catch-all DMZ host on my home network. Before diving into the details, you can see live data being collected by that host here: https://psad.disloops.com
Setting up PSAD and UFW
This setup relies on the base configuration for a Raspberry Pi that's described here: https://disloops.com/raspberry-pi-3-basics/
To begin, first install PSAD:
sudo apt-get install psad
In the tutorial above, UFW was set up as a wrapper over
iptables. However, UFW logs do not have the level of detail that PSAD requires. Without modifying the logging capabilities, some messages may be discarded before PSAD can analyze them.
First back up the UFW configuration files:
cd /etc/ufw sudo cp before.rules before.rules.old sudo cp before6.rules before6.rules.old
Now edit the files above to add the following block just before the lines containing the final
# Custom PSAD logging directives -A INPUT -j LOG --log-tcp-options -A FORWARD -j LOG --log-tcp-options
These lines will ensure that
iptables events are logged properly. The
--log-tcp-options argument adds additional data to the log files that can be used to detect certain attacks. The
EXPECT_TCP_OPTIONS parameter in the PSAD configuration below corresponds to this setting.
Now PSAD can be configured:
cd /etc/psad sudo cp psad.conf psad.conf.old sudo vi psad.conf
Here are some of the parameters that should be modified:
HOSTNAME your_host_here; HOME_NET 192.168.0.0/16; ALERTING_METHODS noemail;
The first two are self-explanatory. The
ALERTING_METHODS setting accepts three values:
ALL. Here it's being set to suppress email alerts.
This just tells PSAD where to acquire
iptables log data. The UFW configuration above was modified so that this data would be captured correctly.
Because some scanning tools don't set options in the TCP headers, using this setting allows PSAD to better identify those attacks. PSAD also uses this information to passively fingerprint remote operating systems. This setting depends on the
--log-tcp-options argument provided in the UFW configuration files above.
This tells PSAD to re-import old scan data after a restart instead of moving it to the archive directory, which allows the statistics to remain persistent across reboots.
Lastly, have PSAD download the latest set of modified Snort signatures and reboot:
sudo psad --sig-update sudo reboot
Setting up fwsnort
fwsnort tool parses Snort rules and builds an equivalent
iptables ruleset for as many rules as possible. Currently,
fwsnort downloads and processes the "Emerging Threats" Snort ruleset.
First download and unzip
cd; mkdir Downloads; cd Downloads wget https://github.com/mrash/fwsnort/archive/master.zip sudo unzip master.zip -d /usr/local/src cd /usr/local/src/fwsnort-master
Then run the installation script:
sudo su ./install.pl exit
Once installed, modify the
HOME_NET parameter in
/etc/fwsnort/fwsnort.conf so that it matches what was set up in
Now the Snort rules need to be updated, parsed, and added to
sudo fwsnort --update-rules sudo fwsnort --no-ipt-OUTPUT sudo /var/lib/fwsnort/fwsnort.sh
--no-ipt-OUTPUT option discards packets that are emitted by the host. This was suggested by @cdeck3r in a honeypot project for the Raspberry Pi Zero W that uses PSADify. The project can be found here. Thanks Christian!
iptables rules won't persist across a reboot. To save them, simply add the above script to
rc.local so that it's run each time the system starts:
sudo vi /etc/rc.local
Just add the following commands above the line containing the
sudo fwsnort --update-rules sudo fwsnort --no-ipt-OUTPUT /var/lib/fwsnort/fwsnort.sh sudo psad -H
Note: Every other method of making
iptables rules persistent did not work, including
netfilter-persistent. You can ensure that the Snort rules have been added to
iptables by running:
sudo fwsnort --ipt-list
psad -H command just tells PSAD to grab the new rules. I also added a nightly cronjob to pull down the latest rules and load them into PSAD. Run
sudo crontab -e and add the following lines:
PATH=/bin:/usr/bin:/usr/local/bin:/usr/sbin 0 0 * * * fwsnort --update-rules && fwsnort && /var/lib/fwsnort/fwsnort.sh 10 0 * * * psad -H
/var/log/psad directory contains some output files that provide data and statistics on incoming traffic. Running the following command will produce a file called
status.out that compiles the more interesting details into a presentable format:
sudo psad --Status
There are some visualization tools available for PSAD but nothing that met my needs. Instead, I created a script that generates an HTML page from the data contained in the PSAD output files. You can download it here: PSADify on Github
Take a look at the output data and let me know if you have any observations!
This article was helpful in getting PSAD to work with UFW: