3.2. NIDS Server Configuration¶
3.2.1. LogStash Configuration¶
LogStash has a separate configuration file for each datasource it will feed into the ElasticSearch database. In our case, the following configuration files are used:
- snoort.conf
- modbus.conf
To edit the configuration file, use a text editor, such as nano for example:
sudo nano /etc/logstash/conf.d/snoort.conf
Enter the following for the snoort.conf configuration file content:
input {
file {
path => "/var/log/snort/alerts.json"
codec => "json"
}
}
output {
elasticsearch {
hosts => "192.168.40.122:9200"
index => "snort_alerts"
}
}
The second configuration file to be edited is modbus.conf:
sudo nano /etc/logstash/conf.d/modbus.conf
Enter the following into the modbus.conf content:
input {
file {
path => "/var/log/tshark/modbus.json"
codec => "json"
}
}
output {
elasticsearch {
hosts => "192.168.40.122:9200"
index => "modbus_traffic"
}
}
3.2.2. Starting LogStash, TShark & Snort¶
Now start the LogStash service:
sudo service logstart logstart
To start the Tshark use the following command options:
sudo tshark -i eth9 -O modbus -Y modbus -T ek -J modbus -j modbus > /var/log/modbus.json
In this setup the network interface eth9 is connected to a SPAN port of a switch and only the Modbus protocol of the application layer needs to be decoded.
For the Modbus/TCP Layer to be decoded the command to run TShark is:
sudo tshark -i eth9 -O modbus -Y modbus -T ek -J "mbtcp modbus" > /var/log/modbus.json
To start the Snort use the following command options:
sudo snort -i eth9 -c /etc/snort/snort.conf -l /var/log/snort/ -h 192.68.50.0/24 -A Console
Hint
Additional Snort rules for some sanity checks on the MODBUS protocol could be downloaded from https://github.com/digitalbond/Quickdraw-Snort/blob/master/modbus.rules
The modbus.rules file should be placed in the /etc/snort/rules/.
To start the tool which converts Snort logs from Unified2 format to JSON use the following command:
sudo idstools-u2json --verbose --snort-conf /etc/snort/snort.conf --directory /var/log/snort \
--prefix snort.log --follow --output /var/log/snort/alerts.json