An Intrusion Detection system is like a burglar alarm for your computer. It monitors you network and system activities for malicious activities or policy violations and reports to some kind of management station. This is great as it lets you know who were when & how people are trying to break into your network and knowing this is half the battle. You may be thinking that this isn’t enough and you want to block all hacks from happening, well most IDS systems include some “Network Intrusion Prevention” features. However the main concern should be closing up vulnerabilities rather than blocking someone already trying to hack your systems, after all it’s a bit late if they are already in your system, and this way you may accedently block innocent users.
Another common use of an Intrusion Detection system is to use it as a honeypot. In Wikipedia’s words a honeypot is “In computer terminology, a honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.”. Basically if you trying to find some hackers address or an active botnet then installing a honeypot on a popular webserver is a good way to go about this.
So what the best IDS, well infoworld.com said that the The greatest open source software of all time was Snort, and if it’s the best open source software of all time, you can sure as hell bet it’s the best open source IDS. Snort contains a full featured IDS as well as receiving regular updates to its rules library as well as great Network Intrusion Prevention features. So let’s discuss how to install this and get it reporting to a MySQL database.
In this tutorial we are going to be setting up a snort server to run and monitor a single machine, this is great for protecting your webserver or creating a honeypot. However if you want an IDS to monitor your entire network this solution won’t work, you’ll need to buy a switch with a monitoring port (most manages switches) so that a copy of all the data sent across the network is mirrored to your snort server, if you do have this function turn it on and follow this tutorial as normal.
So let’s get started, first we need to install some base packages, mainly LAMP (Linux, Apache, MySQL & PHP) so type into your terminal:
sudo tasksel install lamp-server
During this install you’ll be asked for a password to set for the root account on your new MySQL server, be sure to remember this as you’ll need it later.
Now we just need some tools to test the server later:
sudo apt-get install nmap sudo apt-get install nbtscan
Just becuase its good practice remember to update your package lists:
sudo apt-get update
Now we’ve got that out of the way we can install snort:
sudo apt-get install snort-mysql
now you should see this widow, this is where you choose what range the snort server will monitor, if your just installing this on one machine enter the machines IP address followed by /32, if it’s a whole network use /24 at the end, for example:
Single Machine: 192.168.0.1/32
Whole Network: 192.168.0.0/24 (remember this will need a monitoring port)
If you read the last window you see that we need to configure the database, this isn’t to hard just type:
mysql -u root -p
whitch will open the MySQL console window, in this type:
create database snort;
Now we need to add some tables to the database we just created:
cd /usr/share/doc/snort-mysql zcat create_mysql.gz | mysql -u root -p snort
Once that’s done we need to re-configure snort with the updated database, so type:
sudo dpkg-reconfigure -plow snort-mysql
Here you choose whether you want to run snort in promiscuous mode or not. Even through i said that you can’t monitor over hosts (without a monitoring port) this is where you can, sort of, in promiscuous mode snort will monitor broadcasted events, personally I set this to no to reduce overhead but it’s up to you.
For this tutorial we haven’t added any additional users so I’ve just used root, however this is bad practice, I recommend you add a dedicated snort user to you MySQL database, a good tutorial of that can be found here
To start snort you need to confirm you have setup your database by typing:
sudo rm /etc/snort/db-pending-config
and start the Snort server
sudo /etc/init.d/snort status
Now if you want to see what attempted hacks have taken place simply type
echo "select * from signature;" | mysql -u root -p snort
this will show what attack signatures have been called.