|
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
An Intrusion Detection System (IDS) is a security application or appliance that can be deployed at different levels in a network. A host-based IDS resides on a network endpoint such as a workstation, and attempts to detect malicious activity on the machine. Alternatively, a network-based IDS is deployed transparently on a network and listens to the network traffic for malicious packets. IDS can use different methods of detecting problems, but the most basic method is using signatures. Like an antivirus program checks files for virus signatures, and IDS will check network traffic for patterns associated with malicious network activity.
By far the most popular and powerful of the free IDS solutions is Snort (http://www.snort.org). It's important to note that Snort is not a firewall. Our Snort configuration is intended to only detect problem traffic, not block it (although with some work it can be configured otherwise - see inline mode in the Snort manual).
Configuration Notice: While all the examples in this tutorial are designed to be rather basic, the Snort configuration here is very minimal. The idea is, as always, to let you get up and running and allow you to research and expand the configuration to suit your needs later on. The way an IDS is useful will be different for everyone based on their needs, so it's up to you to identify which detections you need and which you don't. I HIGHLY recommend everyone attempting this step in the guide visit Snort.org for two reasons:
- Documentation: Learn how to take advantage of the multitude of features built into Snort. The documentation is long, but valuable.
- Updates: The Debian package comes with a pre-defined rule set, but the rules are updated regularly. The community rules are free for download and will allow your IDS to detect the latest threats.
To start off, we need to install the snort package:
Firewall:~# apt-get install snort
Debian will do some Snort config for you at run time.
You will be prompted to select an interface for Snort to listen on. We'll be configuring it on our internet interface, since that's where we expect the threats to come from. It can also be run on the internal interface to inspect outgoing traffic.
You have to set the IP address range of your home network. In our example, this will be the 192.168.1.0/24 subnet.
A script will mail IDS statistics to the specified user(s). Make sure they have some way of receiving the information.
Snort has several configuration files to be aware of. Some of the most important are:
- /etc/snort/snort.conf: This is the primary configuration file, and deserves a read through and usually some tweaking.
- /etc/snort/snort.debian.conf: This file is created by the Apt installer. Your initial options are placed here leaving snort.conf unchanged.
- /etc/snort/threshold.conf: This file lets you rate-limit alerts if you're seeing a lot of the same warning. It also lets you suppress warnings completely.
- /etc/snort/rules/: This directory contains the snort rules (signatures). These can be manually updated with new rules from Snort.org, or edited by hand to provide new detections.
When a new detection is made, it will be logged in /var/log/snort/alert by default. These logs aren't very pretty, but you can find a lot of log interpreters available to supplement the installation. When Snort starts, it will give a lot of information in /var/log/syslog about its configuration, what is enabled, and what isn't.
Now let's do some Snort tweaking to match our network! Keep in mind that this is just a sampling to get you started. We won't attempt to cover all the included features, that's up to you.
Firewall:~# nano -w /etc/snort/snort.conf
The VAR_* options at the beginning allow you to limit what addresses are scanned for certain types of vulnerabilities. For example, you can set it to only scan traffic to your web server at 192.168.1.10 for HTTP vulnerabilities:
var HTTP_SERVERS 192.168.1.10/32
The middle of the config contains the preprocessor configs. The preprocessors are Snort modules that run before the actual snort detection engine, and can extend Snort's core capabilities with features like port scan detection, http traffic inspection, ip defragmentation, and much more. You should read through each and configure it to your needs...the Snort website documents all the options well.
At the bottom you will find lots of file includes. The rulesets are included, as well as some additional configuration files. If you want to exclude a certain rule set from being processed, simply comment it out:
#include $RULE_PATH/tftp.rules
Keep in mind if you only want to avoid a single rule, rather than the entire set, you should use the threshold.conf file to supress it by signature. Once you're happy with the configuration, sit back and watch everything work. Don't forget to monitor your new IDS for unexpected results...high traffic networks can quickly generate a lot of detections if not configured properly.
|
|
|
|
|
|
Proceed to Step 15 - Anonymous Routing with Tor |
|
|
|
|
|
|
|
|
|
|
| Copyright © 2006 Matt LaPlante. All rights reserved. |
|
Page created in 0.0021 seconds.
|
|
