surfnet IDS installation - Sensor (simplified install guide)

The system's sensor is where all the malicious trafic will be directed, where 'replications' of nepenthes (honeypot program) from tunnel server are placed.

sensor must be installed after finish installing and configuring both servers because the sensor is automatically connected to the servers when it is up. keys from the tunnel server are also required for the sensor to be connected to the server.

follow installation instructions here

copy ca.crt from tunnel server into the sensor's surfids folder. type in "surfids-passwd (insert password here) >> (instert surfids config filename with path here)"
edit the config file with suitable info and edit openvpn.conf by inserting ip address of tunnel server. restart the sensor machine and it will boot into the sensor menu if installation succed. once in the sensor menu, config the sensor accordingly with the right network configurations. note: tunnel endpoint is not the ip address of the tunnel server, but ip address within the same subnet of the sensor.

in case your installation fails and you need to restart installation, dont panic, just ssh into the sensor, apt-get remove --purge surfids-sensor and sudo rm -rf the ids folder to remove any remaining files and just reinstall it by typing sudo apt-get install surfids-sensor.

Surfnet IDS installation - Tunnel server (simplified version)

Continued from the Log server installation guide (based on ubuntu server)

for my installation process, i installed the tunnel server after installing the log server.

oh i forgot to explain what does the tunnel server does and what the heck is the log server.

the tunnel server, as the name implies, is basically where the openvpn server is located. this server is also used to start the nepenthes service as the honeypot itself. any attack on the server will be recorded on the log server which also has a web interface to display all the logged information. below are the steps and notes to be considered while installing the tunnel server.

Step 1 : follow basic installation instructions here
Step 2 : install ARP module from instructions here
Step 3 : Configure server according to your system with this as a guide
Step 4 : Install Nepenthes according to your system by following instructions here

Note:

- key generation during arp module installation may take some time.
- tunnel server .deb package does not include nepenthes.
- edit apache2's ports.conf to specify ip and ports that the server listens for connections
- make sure nepenthes.conf listens to 0.0.0.0 so that the system's sensor will have same open ports as the tunnel server (nepenthes open port)
- restart apache after configurations

sudo: unable to resolve host

faced this problem after changing computer's hostname

solution (taken from here) :

sudo vim /etc/hosts

change your old hostname to new hostname

-setel-

just a simple solution from a beginner +_+

surfnet IDS installation - Log server (simplified install guide)

Surfnet IDS is kinda like a honeypot system. after trying around the system for the past month, I think that the first ever step towards building the system is to start off with its logserver (based on my experience with a fresh install ubuntu server)

installation guide for the system are provided at surfnet's website.

during installation of the log server, I always face the same problem where the installation fails to connect to PostgreSQL database server. this probably is the result of some bad default configuration files.

after doing some searching, i have found a PostgreSQL installation guide which allows connection to be made to the sql server here.

just follow instructions provided while installing the log server and you should be able to connect to your sql server and finish the installation.

good luck :)