Installing Meerkat

Print Friendly, PDF & Email

In this post we will see the steps we must follow to install Meerkat on a Debian 10.6. Meerkat is a high-performance network engine, as IDS (Intrusion Detection System), IPS (Intrusion Prevention System) and used as a network monitoring system, and of course, Open Source!

Thanks to Meerkat, we will be able to know what is happening in our network in real time, We will be able to learn what is happening, which machines communicate with which… inter alia, We will be able to make rules to notify the traffic that interests us, A blast. In another document, we'll look at how to export the data collected by Meerkat to Elasticsearch, and so on, with Kibana or Grafana to be able to visualize said traffic.

We install meerkat in Debian Buster running:

ECHO "deb http://http.debian.net/debian buster-backports main" > /etc/apt/sources.list.d/backports.list apt-get update apt-get install meerkat -t buster-backports apt-get install meerkat-oinkmaster

 

In the Meerkat configuration file (/etc/meerkat/meerkat.yaml) at least we must correctly write the name of the network interface that will listen to the traffic, we can define what the local IP ranges are and we will enable if we want the output in simple view of one line (Like in Snort):

af-packet:
  - Interface: ens192 HOME_NET: "[192.168.1.0/24,192.168.0.0/24,192.168.33.0/24]"

outputs:
  - Fast:
      enabled: Yes file name: fast.log append: Yes

 

We have previously installed Oinkmaster, We will use it to manage and keep the rules up to date. In your configuration file (/etc/oinkmaster.conf) we add the following URL:

URL = HTTP://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz

 

Reloading and updating rules:

SystemCTL Restart Meerkata SystemCTL Status Meerkat Surycat-oinkmaster-updater

 

As we mentioned, We can create files with rules (/etc/meerkat/rules/myrules.rules), For example, this first, that if it detects that there is ICMP traffic (From any origin to any destination) that generates a log in the log file. So if it detects that someone is pinging, it will tell us, we add:

alert icmp any any -> any any (Msg: "ICMP detected";)

 

Remember that we must indicate in the Meerkat configuration file (/etc/meerkat/meerkat.yaml) the name of the file with the rules we have just defined:

rule-files:
  ...
  - myrules.rules

 

We reset Meerkat for you to read the latest changes made:

Systemctl Restart Meerkat Systemctl Meerkat Status

 

And we can make a PING to any IP from any computer and it should be recorded in the outputs that we have indicated:

ping 8.8.8.8
tail -f /var/log/meerkat/eve.json tail -f /var/log/meerkat/fast.log

 

For now very cool to be able to get to know possibilities, we will be able to record everything that our Meerkat sees. Remember that if you have deployed it as a virtual machine, You have to enable promiscuous mode, or if your switch can, that redirects all traffic to your port. Here are some examples of other initial rules to give it some play:

Alert TCP any any -> any any (content:"Gmail"; Msg: "We detect Gmail"; sid:1000002;)
alert icmp any any -> any any (Msg: "ICMP detected";)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (Msg: "Output ICMP Detected"; sid:1; rev:1; classtype:icmp-custom-event;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (Msg: "Ingress ICMP detected"; sid:2; rev:1; classtype:icmp-custom-event;)
alert icmp $HOME_NET any -> $HOME_NET any (Msg: "ICMP on local network detected"; sid:3; rev:1; classtype:icmp-custom-event;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (Msg: "Internet connection to LAN"; sid:5; rev:1;)
Alert TCP 192.168.1.254 any -> 192.168.1.XXX any (Msg: "Internet connection to Jitsi"; sid:6; rev:1;)
Alert TCP 192.168.1.254 any -> 192.168.1.XXX any (Msg: "Internet connection to Grafana"; sid:7; rev:1;)
Alert TCP 192.168.1.254 any -> 192.168.1.XXX any (Msg: "Internet connection to NextCloud"; sid:8; rev:1;)
Alert TCP 192.168.1.254 any -> 192.168.1.XXX any (Msg: "Internet connection to OTRS"; sid:9; rev:1;)
Alert TCP any any -> 192.168.1.XXX any (Msg: "Internet connection to Citrix"; sid:10; rev:1;)

And what I said, this is a first document where we see how to install and assemble Meerkat., how to make it fully functional that we will continue to develop with future documents, at least with the intention of storing it as we said in Elasticsearch and visualizing it with Grafana or Kibana, to taste.

Recommended Posts

Rules and alerts with ElastAlert 2
Read
Windows metrics with Prometheus and Grafana
Read
FortiGate metrics with Prometheus and Grafana
Read
Ping metrics with Prometheus and Grafana
Read

Author

by Héctor Herrero 
nheobug@bujarra.com
Autor del blog Bujarra.com Cualquier necesidad que tengas, Do not hesitate to contact me, I will try to help you whenever I can, Sharing is living ;) . Enjoy documents!!!

A Podcast for IT - Our smart home with Home Assistant - Part I

14 December 2020

A Podcast for IT - It all started in 2020

14 of January 2021