Running IDS¶
Dependencies¶
- Zeek 4.2.X
- enip_swat_parser
- Elasticsearch 8.0.1
- Kibana 8.0.1
- Filebeat 8.0.1
- Logstash 8.0.1
- tshark
Start IDS¶
Start Kibana visualisation¶
Start the ELK stack to enable the pipeline, and start the visualisation.
- Start Elasticsearch
# Goto elasticsearch directory
# in a separate terminal
./bin/elasticsearch
- Start Kibana
# Goto kibana directory
# in a separate terminal
./bin/kibana
- Start Filebeat
# Goto filebeat directory
# in a separate terminal
./filebeat -c filebeat.yml --path.data data/registry/filebeat/
- Start Logstash
# Goto logstash directory
# in a separate terminal
sudo ./bin/logstash -f <logstash-sample>.conf --config.reload.automatic
- Start Kibana in a browser
Goto a browser
Search localhost:5601 or <kibana server IP>:5601
Goto Analytics >> Canvas >> <canvas name>
Select View >> Auto refresh setting.
Set “1s” refresh rate and click set.
Select Fullscreen mode
Start Zeek¶
- Start zeekctl.
# in a separate terminal
# Start the Zeek Control shell with the following:
sudo /usr/local/zeek/bin/zeekctl
- Deploy Zeek and check its status in Zeek Control shell
# In the Zeek Control shell, issue the following commands:
deploy
Status
Check if IDS is working¶
- Use tshark to visually inspect the packets seen on the interfaces.
# in a terminal
sudo tshark -i <interface> -P |grep <protocol>
Stop IDS¶
- Close Browser
- Open zeekctl shell, if it is not already opened
# if no other terminal hosts zeekctl,
# then
# in a separate terminal,
# start the Zeek Control shell with the following
sudo /usr/local/zeek/bin/zeekctl
# else
# ignore this step
- Stop Zeek and quit Zeek Control shell
# In the Zeek Control shell, issue the following commands:
stop # zeek might take awhile to stop completely
quit