InfoSec Ninjas 資安忍者

Almond Croissants 杏仁牛角面包



Intrusion Detection and Prevention System



Networks and computers that open to the public are facing hacker attacks from all over the world every day. Once we are compromised, we would be one of the cyber crime victims. Our tasty Almond Croissants is a high performance and ultra-low latency Intrusion Detection and Prevention System (IDPS). Unlike well known and famous brands for large business enterprises in the market, Almond Croissants is available free of charge that everyone can afford. It is ideal for home, Small Office Home Office (SOHO) and Small Medium Business (SMB).

Not a Network Security Monitoring (NSM) or Information Security (InfoSec) expert? No problem! Our Almond Croissants is really a "Plug, Play and Forget" system that we are dreaming of. Don't be the next cyber crime victims, try Almond Croissants now!


FEATURES

- Block ports and vulnerabilities scanning
- Block known exploitation on vulnerable systems
- Block known malicious IP addresses to access your systems
- Block known source of Secure Shell (SSH) brute forcing
- Block The Onion Router (TOR) to access your systems
- Prevent from accessing known malicious sites with Secure Sockets Layer (SSL) certificates
- Prevent from being infected by known virus and malware
- Easy and straight forward analysis with charts on web interfaces
- Compatible with Bittorrent and 4K video streaming
- Ultra-low latency for online gaming
- Compatible with Windows, Linux, macOS, Apple iOS and Android
- Ultra-low latency throughput that drives your network to a limit
- No subscription fee
- More protection for web servers @
- More protection from known malware @
- Block known phishing sites @
- Automatically update and upgrade @
- Plug, Play and Forget!

@ only available in Almond Croissants





LICENSE

Almond Croissants is an Open Source Project which is released under GPLv3 License and it is developed by Samiux.

A Quick Guide to GPLv3
GNU General Public License Version 3.0

Please keep in mind that Almond Croissants is available FREE OF CHARGE.

** A little history about Croissants and Almond Croissants. Croissants was developed since 2012 and it was modified a lot in 2016. The project was renamed to Almond Croissants since then.

FUNDING

If you like our project, please show your support by sending the fund to Paypal to (infosecninjas AT gmail DOT com) in USD or HKD currency. You need a Paypal account to do so.


RECOMMENDED REQUIREMENTS

Hardware

- Intel i5-6500T (Quad Core) CPU
- 32GB DDR4 RAM
- 320GB Hard Drive or SSD
- 3 Intel Network Interfaces Cards/Ports

* The higher performance of CPU, the higher performance of Almond Croissants is
* Almond Croissants should be installed on a dedicated Ubuntu Server box and it should be placed between modem (if any) and router (if any).
* Intel Network Interface has better performance than Realtek

* Memory Calculator -- About 4 GB RAM per CPU Thread for Almond Croissants.

Examples for home usage : Intel Atom C2750 CPU with 32GB RAM can handle up to 500Mbps internet connection while Intel i5-6500T CPU with 32GB RAM can handle 1000Mbps or up connection.

The following are new motherboards with Xeon E3-1500 v5 Series Processors that is ideal for Home, SOHO and Small Medium Businesses users :

ASRock Rack C236 WSI4-65L

ASRock Rack C236 WSI4-85L

Software

- Ubuntu Server 16.04 LTS (64-bit)


MAIN COMPONENTS

- Suricata 3.2.1
- Hyperscan 4.4.1
- Elasticsearch 5.3.2
- Logstash 5.3.2
- Kibana 5.3.2


DOCUMENTATION

1.0 Installation Guide

1.1 Download and Install

sha256sum c9a96a94f6f6fe4dc86f214b604efc33ee82a7f2dd8e384e629e36c84101f6ee almond_croissants-1.1.6.5.tar.gz


wget https://www.infosec-ninjas.com/files/almond-croissants-1.1.6.0/almond_croissants-1.1.6.5.tar.gz
tar -xvzf almond_croissants-1.1.6.5.tar.gz
mv almond_croissants croissants
cd croissants
chmod +x nsm_*
chmod +x update_*
cp * ~/
cd ~/
nano nsm.conf
sudo ./nsm_install


*** Make sure you edit nsm.conf before running nsm_install ***

1.2 ChangeLog

Almond Croissants ChangeLog


2.0 User Guide

WARNING : Make sure ports 5601, 19999 and 5636 are not opened to the public.

2.1 Kibana

To monitor and analysis the traffic of the network.

http://[monitoring_ip]:5601

e.g. http://192.168.20.180:5601

Meanwhile, you also need to download the preset dashboard and import to Kibana. You can download here. Kibana is big data analysis tool. The indices can be deleted and re-created for new analysis and monitoring.

The first time setup for Kibana is as this video :



2.2 Netdata

To monitor the performance of Almond Croissants.

http://[monitoring_ip]:19999

e.g. http://192.168.20.180:19999

2.3 EveBox

To analysis the packet capture.

http://[monitoring_ip]:5636

e.g. http://192.168.20.180:5636

2.4 Rules Management

If you want to disable some rules as they are false positive, you can edit the "disablesid.conf" of pulledpork.

sudo nano /etc/pulledpork/disablesid.conf

If you want to drop some traffic, you can edit the "dropsid.conf" of pulledpork.

sudo nano /etc/pulledpork/dropsid.conf

If you want to modify some traffic, you can edit the "modifysid.conf" of pulledpork.

sudo nano /etc/pulledpork/modifysid.conf

After updated the pulledpork, you should run the following command to make the changes effective.

sudo nsm_rules_update

2.5 Glances

Another monitoring tool for the performance of Almond Croissants.

glances


3.0 Hall of Fame

Nathan Paquin - Unix System Expert (IRC nick : sys)
Omnish - Gamer with InfoSec in mind (IRC nick : omnish)
Alpharyon - Ultra speed internet user with InfoSec in mind

*** Special thanks to Nathan Paquin (sys) to provide server for rules updates ***


4.0 Troubleshooting

If you cannot access internet when you are behind the Almond Croissants, Suricata may be down unexpectedly. You can check if it is running or not by the following command :

sudo ps aux | grep suricata

If it is not running, you can issue the following command to start it :

sudo systemctl daemon-reload
sudo systemctl restart suricata


You can check the suricata.log at /var/log/suricata/suricata.log.


5.0 FAQ

There are kernel drops and/or memory drops in the system. How to avoid it?
High CPU loading (says 80-100%) and/or insufficient memory will cause kernel and/or memory drops. You are required to use a higher power CPU and/or increase the amount of memory to solve the problem. Meanwhile, too low "RING_SIZE" value may also causing the problem.

Can I use 16GB RAM for the system?
It is NOT recommend to use 16GB RAM as SWAP will be created even in a light traffic network.

We have tested Intel Celeron N3150 with 16GB RAM and it is running smoothly. However, make sure NOT to set the value of "RING_SIZE" in "nsm.conf" larger than "400000". The total number of users for N3150 with 16GB RAM is not more than 4 and the bandwidth that it can handle is about 200 to 250 Mbps. We also tested Intel Atom D2550 but the performance is not acceptable. In general speaking, about 4GB RAM per CPU thread and make sure the CPU power is not too weak. Meanwhile, total number of users should be also put into account. Celeron N3150 with 16GB RAM can only serve up to 4 concurrency users with no high demanding tasks.

sudo nano /etc/croissants/conf.d/nsm.conf

After changing the value of "RING_SIZE" (default is 400000) at "nsm.conf", you can run the following command for testing the suitable value of "RING_SIZE" :
sudo /etc/croissants/conf.d/auto_config

What is the function of the third network interface?
One is for incoming traffic (from modem or ISP) and the other is for outgoing traffic (to router). The third one is connected to the switch for management purpose. It is also used for updating the rules and system.

How to check what network interfaces are in my box?
ls /sys/class/net

What is the recommended value for "RING_SIZE"?
We recommend the value of "RING_SIZE" to be 400000 or higher and it depends on how many memory you have. For 4 CPU threads and 16GB RAM box, 400000 is the most suitable and recommended value. For 8 CPU threads and 32GB RAM box, 400000 is also the most suitable and recommended value.

Can I use Almond Croissants as an Intrusion Detection System only?
Yes. You need to have two network interfaces. One is for connecting to the SPAN Port (or Port Mirroring) at the Managed Switch. The other is for management purpose. In addition, all the "Drop" and "Reject" rules are not blocking the traffic. The pie chart on Kibana that showing "Block" can be ignored as it just showing the rules are triggered. It will monitoring the internal traffic of the network.

The workload of the Almond Croissants at SPAN Port is much higher than placing it in front of router. The hardware should suit for the internal bandwidth ability.


6.0 To-Do-List

[+] Replace Pulledpork with better Rule Manager
[+] Dynmaic IP handling


7.0 See Also

Traffic and Attack Map for Suricata
Hardening Mobile Devices with Intrusion Prevention System
Know Your Enemies and Know Yourself
Build An Affordable Intrusion Detection And Prevention System For Home Users


Back