[ previous ] [ Contents ] [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ A ] [ B ] [ C ] [ D ] [ E ] [ F ] [ G ] [ H ] [ next ]
You can easily set up a dedicated Debian system as a stand-alone Intrusion
Detection System using snort
and a web-based interface to analyse
the intrusion detection alerts:
Install a base Debian system and select no additional packages.
Install one of the Snort versions with database support and configure the IDS to log alerts into the database.
Download and install BASE (Basic Analysis and Security Engine), or ACID (Analysis Console for Intrusion Databases). Configure it to use the same database than Snort.
Download and install the necessary packages[81].
BASE is currently packaged for Debian in acidbase
and ACID is
packaged as acidlab
[82]. Both provide a graphical WWW interface to Snort's output.
Besides the base installation you will also need a web server (such as
apache
), a PHP
interpreter and a relational database
(such postgresql
or mysql
) where Snort will store its
alerts.
This system should be set up with at least two interfaces: one interface connected to a management LAN (for accessing the results and maintaining the system), and one interface with no IP address attached to the network segment being analyzed. You should configure the web server to listen only on the interface connected to the management LAN.
You should configure both interfaces in the standard Debian
/etc/network/interfaces
configuration file. One (the management
LAN) address can be configured as you would normally do. The other interface
needs to be configured so that it is started up when the system boots, but with
no interface address. You can use the following interface definition:
auto eth0 iface eth0 inet manual up ifconfig $IFACE 0.0.0.0 up up ip link set $IFACE promisc on down ip link set $IFACE promisc off down ifconfig $IFACE down
The above configures an interface to read all the traffic on the network in a
stealth-type configuration. This prevents the NIDS system to be a
direct target in a hostile network since the sensors have no IP address on the
network. Notice, however, that there have been known bugs over time in sensors
part of NIDS (for example see DSA-297
related
to Snort) and remote buffer overflows might even be triggered by network packet
processing.
You might also want to read the Snort
Statistics HOWTO
and the documentation available at the Snort official site
.
[ previous ] [ Contents ] [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ A ] [ B ] [ C ] [ D ] [ E ] [ F ] [ G ] [ H ] [ next ]
Securing Debian Manual
[email protected]