InfoSec Ninjas 资安忍者

Croissants 牛角面包




Intrusion Detection and Prevention System



Networks and computers that open to the public are facing hacker attacks from all over the world every day. Once we are compromised, we would be one of the cyber crime victims. Our tasty Croissants is a high performance and ultra-low latency Intrusion Detection and Prevention System (IDPS). Unlike well known and famous brands for large business enterprises in the market, Croissants is available free of charge that everyone can afford. It is ideal for home, Small Office Home Office (SOHO) and Small Medium Business (SMB).

Not a Network Security Monitoring (NSM) or Information Security (InfoSec) expert? No problem! Our Croissants is really a "Plug, Play and Forget" system that we are dreaming of. Don't be the next cyber crime victims, try Croissants now!


FEATURES

- Block known malicious activities
- Block known malware and virus
- Easy and straight forward web interfaces
- Compatible with Bittorrent and 4K video streaming
- Ultra-low latency for demanding online games
- Compatible with Microsoft Windows, GNU Linux, Apple macOS, Apple iOS and Google Android
- No subscription fee
- Automatically update and upgrade
- Plug, Play and Forget!






LICENSE

Croissants is an Open Source Project which is released under GPLv3 License and it is developed by Samiux.

A Quick Guide to GPLv3
GNU General Public License Version 3.0

Please keep in mind that Croissants is available FREE OF CHARGE.

** A little history about Croissants and Almond Croissants. Croissants was developed since 2012 and it was modified a lot in 2016. The project was renamed to Almond Croissants since then. In 2017, Almond Croissants is renamed back to Croissants again even some rules are still in the name of Almond Croissants.

DONATION

If you like our project, please show your support by sending the donation to Paypal (infosecninjas AT gmail DOT com) in USD or HKD currency. You need a Paypal account for the donation.


MINIMUM REQUIREMENTS

Hardware

- Intel i5-6500 (Quad Core) CPU or better
- 16GB DDR4 RAM or more
- 320GB Hard Drive/SSD or more
- 3 Intel Network Interfaces Cards/Ports
- CPU with AVX2 or better

Important

[1] External IP address should be fixed IP address. Please note that auto IP addresses (internal and external) detection is under experiment and it is not recommended.

[2] The higher performance of CPU, the higher performance of Croissants is.

[3] Croissants should be installed on a dedicated Ubuntu Server box and it should be placed between modem (if any) and router (if any).

[4] Intel Network Interfaces are recommended (default configuration). Realtek (or others) will have poor performance.

[5] Select CPU that comes with AVX2 or better (such as AVX512). SSSE3 works but the performance is not satisfied in medium to high traffic network.

[6] The more users in the network, the more powerful and more cores of CPU is required.

[7] Examples for home usage : Intel i5-6500 CPU with 16GB RAM can handle 1000Mbps (or more) internet.

[8] The more busy the traffic of the network, the larger the hard drive is required.

Hardware Suggestion

The following are new motherboards with Xeon E3-1500 v5 Series Processors that is ideal for Home, SOHO and Small Medium Businesses users :

For home/SOHO users :

Zotac ZBox CI549/MI549 nano for Croissants

For small businesses :

ASRock Rack E3C236D4I-44E85

ASRock Rack C236 WSI4-65L

ASRock Rack C236 WSI4-85L

1GBE Intel Ethernet Server Network Adapters :

Intel Ethernet Server Adapter I350-T4V2 - 4 Ports

Intel Ethernet Server Adapter I350-T2V2 - 2 Ports

Intel Ethernet Server Adapter I340-T4 - 4 Ports

Software

- Ubuntu Server 18.04 LTS (64-bit)


MAIN COMPONENTS

- Suricata 4.0.5
- Hyperscan 4.7.0
- Elasticsearch 5.6.x
- Logstash 5.6.x
- Kibana 5.6.x
- idstools-rulecat
- evebox


DOCUMENTATION

1.0 Installation Guide

1.1 Download and Install

sha256sum bff315ea2a74118f411ffdc715cb10f1e0445bbc69a4ea1e2bffebbaa81c70db croissants-2.2.0.tar.gz


wget https://www.infosec-ninjas.com/files/croissants-2.2.0.tar.gz
tar -xvzf croissants-2.2.0.tar.gz
cd croissants
chmod +x nsm_*
chmod +x update_*
cp * ~/
cd ~/
nano nsm.conf
sudo ./nsm_install


*** Make sure you edit nsm.conf before running nsm_install ***
The definition of nsm.conf is here.

1.2 ChangeLog

Croissants ChangeLog


2.0 User Guide

WARNING : Make sure ports 5601, 19999 and 5636 are not opened to the public.

2.1 Kibana

To monitor and analysis the traffic of the network.

http://[monitoring_ip]:5601

e.g. http://192.168.20.180:5601

Meanwhile, you also need to download the preset dashboard and import to Kibana. You can download here. Kibana is big data analysis tool. The indices can be deleted and re-created for new analysis and monitoring.

The first time setup for Kibana is as this video :



2.2 Netdata

To monitor the performance of Croissants.

http://[monitoring_ip]:19999

e.g. http://192.168.20.180:19999

2.3 EveBox

To analysis the packet capture.

http://[monitoring_ip]:5636

e.g. http://192.168.20.180:5636

2.4 Rules Management

If you want to disable some rules as they are false positive, you can edit the "disable.conf" of idstools-rulecat.

sudo nano /etc/idstools/disable.conf

If you want to drop some traffic, you can edit the "drop.conf" of idstools-rulecat.

sudo nano /etc/idstools/drop.conf

If you want to modify some rules, you can edit the "modify.conf" of idstools-rulecat.

sudo nano /etc/idstools/modify.conf

After updated the configuration files, you should run the following command to make the changes effective.

sudo nsm_rules_update

2.5 Glances

Another monitoring tool for the performance of Croissants.

glances

2.6 Ubuntu Update

sudo update_ubuntu

2.7 Auto Configuration

Whenever you changed the nsm.conf file, you need to run the following command in order to make it effective.

sudo nano /etc/croissants/conf.d/nsm.conf

sudo /etc/croissants/conf.d/auto_config


3.0 Hall of Fame

Nathan Paquin - Unix System Expert (IRC nick : sys)
Omnish - Gamer with InfoSec in mind (IRC nick : omnish)
Alpharyon - Ultra speed internet user with InfoSec in mind

*** Special thanks to Nathan Paquin (sys) to provide server for rules updates ***


4.0 Troubleshooting

If you cannot access internet when you are behind the Croissants, Suricata may be down unexpectedly. You can check if it is running or not by the following command :

sudo ps aux | grep suricata

If it is not running, you can issue the following command to start it :

sudo systemctl restart suricata

You can check the suricata.log at /var/log/suricata/suricata.log.


5.0 FAQ

What is the function of the third network interface?
One is for incoming traffic (from modem or ISP) and the other is for outgoing traffic (to router). The third one is connected to the switch for management purpose. It is also used for updating the rules and system.

How to check what network interfaces are in my box?
ls /sys/class/net

How to delete all the indices on Kibana?
curl -XDELETE http://localhost:9200/logstash-*

How to list all indices on Kibana?
curl -XGET http://localhost:9200/_cat/indices

How to delete one of the indices on Kibana?
curl -XDELETE http://localhost:9200/logstash-2017.07.25


6.0 To-Do-List

Nil


7.0 See Also

How to upgrade Ubuntu 16.04 to 18.04 on Croissants
Hardening Mobile Devices with Intrusion Prevention System
Know Your Enemies and Know Yourself
Build An Affordable Intrusion Detection And Prevention System For Home Users

Optimizing :
Update Ubuntu 16.04 LTS
Optimize Ubuntu 16.04 with jemalloc
Lower CPU Loading With ulimit on Ubuntu 16.04 LTS
Configure Network Interface For Better Performance on Ubuntu 16.04 LTS



Back