Archiv pro rubriku: Nezařazené

Suricata IDS and Turris Omnia

The main reason why I bought Turris Omnia was the ability of the device to run LXC containers and the fact that my old Linksys E3200 router had problems with its 5GHz Wifi stability. I also looked for a platform that would be able to satisfy my needs for a device which would be able to run Suricata IDS for my home network.

I tested Raspberry Pi for this purpose and it worked quite well. The only problem is the fact that you need to mirror your traffic against the device in a certain way. And I had a problem to find the way. Ok, I have a switch allowing me to mirror the traffic from port or ports to another port towards Raspberry. But I have some wired and some wireless devices and placement of the switch into my network infrastructure wouldn’t be simple when I (read Raspberry) need to see all the traffic.

But back to the topic. I installed the Turris device and worked fine. Except the fact that the first thing I had to do was to take tongs and tighten a nut. Otherwise I wouldn’t be able to attach an antenna to a wobble connector. I used several four-letters-words during this simple operation as I had just bought a device with a really high price tag and I expected premium product not a DIY device.

OK,  back to the topic again. I also created an LXC container with Debian Linux and installed Suricata. Literally in minutes. Everything worked as expected. The only problem was the fact that Suricata didn’t see all the traffic. Only broadcasts and multicasts and traffic originating or terminating on the LXC container’s IP address. It was quite obvious that the Suricata is not able to switch all the needed places into promiscuous mode. I played with veth/bridge/phy setup of the LXC container for more that a few hours. But without any luck.  And you can be sure that Google was my best friend.

Finally I gave up and realised that I cannot mirror/TAP all the traffic just by configuring LXC networking and manually modifying promiscuous modes of host’s interfaces. And in that moment I found daemonlogger.

I modified the LXC configuration of my Suricata container to:

# Network configuration
lxc.network.type = veth
lxc.network.link = br-lan
lxc.network.flags = up
lxc.network.name = eth0
lxc.network.veth.pair = veth-deb
lxc.network.script.up = /usr/share/lxc/hooks/tx-off
lxc.network.hwaddr = e2:17:79:92:68:e5

lxc.network.type = veth
lxc.network.flags = up
lxc.network.name = eth1
lxc.network.veth.pair = veth-mon
lxc.network.script.up = /usr/share/lxc/hooks/tx-off
lxc.network.hwaddr = e2:17:79:92:68:e6

And installed deamonlogger into Turris host and started it:

# opkg install daemonlogger
# daemonlogger -i br-lan -o veth-mon

Now I could start Suritaca inside of the LXC container:

# /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth1

And it worked. Probably iptables can be also used to achieve the same goal. But to be honest I am not a friend of iptables. If you know how to mirror traffic using another and more elegant way, please share it with me.

Next steps will be:

  • set an autostart of the all needed components, LXC hooks will be probably the right mechanism.
  • Install another LXC container with ELK stack to visualise and analyse collected Suricata’s data.

I will be back. Soon or never. Good night.

Jeníkův „Social Day“

Včera jsem (já Jeník, 1 rok a kousek starý) dostal injekci. Hodně mikroorganismů. Sice mrtvých nebo slabých, ale pořád dost cizích na to, aby bylo nutné uspořádat seznamovací večírek a nejít spát. Dokonce došlo na horečku páteční noci. A když nejdu spát já, nejde nikdo.

Ráno jsem se rozhodl, že po noci, která nebyla, vzdám další pokusy o usnutí a půjdu se trochu obtisknout do sociálních sítí.

Začnu snídaní. Maminku jsem nechal spát a vyrazil s řidičem kočárku na afterparty do kavárny Cheecup. Abych po sobě nechal nějakou sociální stopu checknul jsem se na Foursquare (viz Foursquare):

Foursquare

Zbaštil jsem řidiči půl panini s tuňákem a čtvrt croasantu, pokusil se mu vylít kapučíno a nadrobil souvislou vrstvu do výše lýtek všech hostů.

Venku svítilo sluníčko a dávalo smysl se vydat na Vyšehrad. Pustil jsem Endomondo pro záznam trasy (viz Endomondo):

Endomondo

Vyrazili jsme na Vyšehrad (viz Wikipedia) a cestou na skoro pustém Vyšehradě vyfotili rotundu statého Martina (viz Instagram) a zaútočili na nepřátelský portál (viz Ingress):

Rotunda svatého Martina

Dobrá náladička z večírku trvala a tam jsem zamířil na Náplavku na trhy a nechal si natočit krátký šot z poslechu kapely od řidiče, což odpovídá nízké kvalitě práce s kamerou (viz. Youtube):

Uviděl jsem nůši a pro případ, že  by v budoucnosti mohli existovat lidé, kteří nevědí jak vypadá si ji vyfotil (viz Dropbox).

Nůše

Tak teď ještě trochu propagace na Facebooku (viz Facebook) a Twitteru (viz Twitter) a obtisk je hotový. Kam se hrabou rodiče, maximálně se mi snaží obtisknout modrou nohu na čtvrtku (viz Flickr).

Nožička
Váš Jeník na blogu (viz tento Blog)

IoT Cloud MQTT message to Speech

For demo purposes and to be able to check if the messages are coming from the IoT cloud without looking at the screen all the time I created super simple Node-RED flow that receives messages from IBM’s IoT cloud and log them in the debug tab of the Node-RED UI and in parallel it parses JSON format of the messages to obtain value of the „temp“ property which is then passed to OS X say command.

It can be easily modified to pick another property value just by modifying „JSON and parse“ node.

Screen Shot 2014-09-04 at 13.34.43

 

You can import the flow using „Import -> From Clipboard“ menu item of Node-RED and by pasting the following text and modify your broker details:

[{"id":"7649d216.89b62c","type":"mqtt-broker","broker":"kbrhh.messaging.internetofthings.ibmcloud.com","port":"1883","clientid":"a:kbrhh:viewer2"},{"id":"482fa4c4.b7d05c","type":"debug","name":"Show message","active":true,"console":"false","complete":"true","x":343,"y":62,"z":"948d5198.6b72b","wires":[]},{"id":"a07e3b0c.5f81c8","type":"mqtt in","name":"Receiver","topic":"iot-2/type/sensor-type/id/+/evt/event1/fmt/json","broker":"7649d216.89b62c","x":93,"y":129,"z":"948d5198.6b72b","wires":[["482fa4c4.b7d05c","e9a50fa3.165af"]]},{"id":"e9a50fa3.165af","type":"function","name":"JSONify and parse","func":"msg = JSON.parse(msg.payload)\ntemp = msg.d.temp\ntemp = Math.round(temp * 10)/10;\nreturn {\"payload\": \"Temerature is \" + temp + \" degrees of Celsius\" }","outputs":1,"x":344,"y":199,"z":"948d5198.6b72b","wires":[["4de9ed0c.b21614"]]},{"id":"4de9ed0c.b21614","type":"exec","command":"/usr/bin/say","append":"","useSpawn":"","name":"Say","x":578,"y":258,"z":"948d5198.6b72b","wires":[[],[],[]]}]

You can also change the voice by modifying say command from:

/usr/bin/say

to:

/usr/bin/say -v <voice name>

You can list available voices by entering command

/usr/bin/say -v ?

into terminal.

The flow requires Node-RED installed on a OS X machine.

Home automation as a weekend project using IBM’s Clouds – part 2

Today we will connect the MQTT bus that is core part of IoT Cloud to the MongoDB using Node-RED flow.

The goal is to have the values – that are sent by our simulated device – stored in our database to be able to display them to an user.

We need to add MongoDB to our Bluemix application. Pokračování textu Home automation as a weekend project using IBM’s Clouds – part 2