ANN: sys-ips

Suricata-001078×689 55.8 KB

Hi there.

I just tested and it is working on my PC without problem.
I encourage everybody to try and report bugs.
https://github.com/control-owl/suriGUI

Idea is to integrate Suricata IPS in Qubes 4.1 and be able to still use Qubes Firewall.

This is short process of my Salt:

1. Download debian-11-minimal (if not exist)
2. Clone debian-11-minimal as sys-ips-template
3. Install suriGUI in sys-ips-template
4. Create new Qube: sys-ips
5. Start sys-ips

After starting sys-ips you will see a new icon in Sys-Tray

You can Start and Stop Suricata IPS.
For now there are not so much settings, progress will be done.

settings623×721 36.7 KB

To start exploring, check my repo:
https://github.com/control-owl/suriGUI

and my Salt:
https://github.com/control-owl/suriGUI/tree/main/salt

After reviewing code, i’ll help testing.
Good project!

Looks interesting, thanks for sharing!

Is sys-ips -when it’s working- replacing sys-firewall ? Or can/should I still use it via

sys-net > sys-ips > sys-firewall > …qubes…

?

Nice addition for anyone who is brave enough to run Windows stuff – at least now we can see what happens there!

See how I did this before without the GUI:
http://zrubi.hu/en/2017/traffic-analysis-qubes/

Meanwhile we are using selinux who created by NSA, could be a long discussion but let’s forget it.

hi.
you do not need sys-firewall.
at least I do not see any use of if after installing sys-ips.
traffic will go to suricata, and there it will be processed.
If you want to block access to hosts, you can do it in firewall in qube, or globally in sys-ips

I based my GUI on your idea @Zrubi

I read it many times.

Tnx man

Sname - Awesome contribution.

I just ran through the instructions on Git and those did not produce any errors.

sys-ips and sys-ips-template installed with suriGUI.

However, I cannot get the tray icon to appear on restart.

Any ideas on how to troubleshoot?

Thanks!

There is a folder that you need to create by hand, and error in the installer,

The fix… Go to the qubes manager … Start the template and open an xterm … Try to launch the suriGUI in the xterm

It gives a console error that a directory don’t exist …

Create it by hand …

Restart the VM and it will work

I can’t remember the exact dir because I am not at home and I don’t remember it exactly

Cheers

Brilliant Vic.

Thank you.

For others reference: /usr/share/suriGUI/tmp/ is the directory that you need to create

Hello,

Good job on putting this together. I have an issue that prevent me from getting it to work. Weirdly, the icons appear when I start the template but is not starting when I start the non-template sys-ips.

Any clue on what is going on?

Thanks

Bishop

Bishop - I ran into the same issue. You need to mkdir /usr/share/suriGUI/tmp into the sys-ips as well as the template.

I was able to do finally do it. I had to do the mkdir on the sys-ips qubes only but in the folder /rw/bind-dirs/usr/share/suriGUI/

Thanks for the tips!

Bishop

done this also and now the icon just appear (red) a few seconds and then it’s gone again…

Hi there.
Tnx for showing interest in my project.

Currently I am in a crazy situation with 2 babies at home and I really can not find 1 hour per day to finish this and make stable version.
Sadly…

And I am on my vacation until August.
Thats why new username.
Cant remember my pass without keepass.

Since some of you showed interest I will immedietly make a correctios in a code as soonas I come home.

Thx for having interest. It means something to me.

Until August.

Having a sys-firewall is still highly recommended as it is a good place to put in additional custom scripts to block certain traffic.

Great initiative, brilliant idea and you could still do sys-ips-snort then what was not blocked by Suricat would be blocked by Snort. For example, such a chain vm <-> sys-firewall <-> sys-ips-snort <-> sys-ips-suricata <-> sys-net

almost done.