INTRUSION DETECTION

pari205
pari205 used Ask the Experts™
on
I am planning to implement an intrsion detection system
in a LINUX based LAN. Please ,Tell me What could be the possible starting point for this
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Kelly BlackSenior Linux / DBA / DEVOPS

Commented:
I would begin by downloading and configuring Snort, from
http://www.snort.org

You will likely need to download and install some lib files
depending on your system's installation level, but it's
fairly straight forward in the instructions...

~Kelly W. Black
I would check out AIDE...I set it up on my debain server and it is great! There is an excellent HOWTO here:
http://www.debianplanet.com/index.php?or=7

The AIDE homepage is here:
http://www.cs.tut.fi/~rammer/aide.html

Good luck ! :)
Nick

Commented:
get portsentry too  http://www.psionic.com
C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

Commented:
AIDE is only host based intrusion detection system ..

aide is more of a data integrity checker .. once the intrusion has been made .. it will tell u what files were modified( if that were in the policy list of AIDE)..
it works just like TRIPWIRE does.. tripwire now has lots of features above AIDE..

while snort is network based intrusion detection system .. NIDS.
it checks for the data passing through a network node and looks for patterns that are defined in the rule-base of snort .. to detect network intrusion attempts..

so what u can do is u shud use combination of host based IDS and network based IDS..

no security tool is complete security solution in itself

Commented:
For a free, starter IDS, Snort would be your best bet.  Download it from www.snort.com and get it up and running.  Basically, do a full "developers" installation of Linux, and grab Snort.

Being an IDS, you'll have to place it appropriately in your network.  The easiest thing to do would be to connect a hub directly in front, or behind your firewall.  Put the IDS in front if you want to see lots of alerts, most of which will be blocked by the firewall.  Put the IDS behind the firewall if you want to see only those "attacks" that have made it through.

I'd recommend you place it behind your firewall for a couple of reasons...

1) You won't be bombarded by unimportant traffic
2) There is less chance of the IDS being compromised and used by malicious users.

Good luck!

Shawn Preston, CISSP
Founder, SecureThinking
www.securethinking.net

Commented:
gah.. update to above message.. www.snort.org

Sorry.. too much eggnog!

Shawn Preston, CISSP
Founder, SecureThinking
www.securethinking.net
*ping*
Top Expert 2006

Commented:
I use 'snort', and 'tripwire'.

If you use snort properly, then theres probably no need for tripwire, but tripwire does give you a nice warm fuzzy feeling that all is well:)

Commented:
My recommendation would be for snort as well. Further, you may want to check into the ACID frontend for good reporting on the snort data. I believe it can be found at www.andrew.cmu.edu/~rdanyliw/snort/snortacid.html

Hope this helps!
I have also used snort and tripwire. Another approach that I have used in the past which was very effective was time consuming but well worth the effort.
1 monitor the most critical machine logs extracting normal traffic for a reasonable period of time. Extracting the information that is not suspicious into a file.
2 write a small shell script or pearl script to execute a grep using exclude with the file created from the monitoring as the source of what gets excluded)
3 have the script notify you in some way when something out of the ordinary happens.

About IDS, placement of the IDS is crucial especially for snort. If you have every possible traffic type on the monitored segment the logs will become useless within seconds. These devices can produce 300 lines per second on a busy network. That is the equivilant of the encyclopedia britanica every hour (read that if you can :-) restrict what is peculiar that it may see and reduce the information it generates and it will be useful.

Nicholas Nanos

SecureThinking
www.securethinking.net

"Where Information Security Evolves"

Commented:
you may also want to try chkrootkit, it's updated regularly and fits on a floppy disk so you can scan your system regularly for signs of a rootkit on your system.

and the number 1 thing that you should implement on your system.....regular backups!

Commented:
Snort + MySQL + ACID (already enough URLs posted, or use Google)

Don't give the box your going to setup the IDS on an IP and plug it in where it's going to see all the network traffic, eg the admin port of a switch.
Commented:
Snort + MySQL + demarc NIDS (better than ACID imo)

Frankly, you won't find a better IDS than snort for the price.  Demarc, however, is not free but it is more user friendly than ACID and it has more functionality.  It's not that expensive for corporate use.  If you are using it for personal use it is free.

http://www.puresecure.com

When setting up an IDS I would suggest the use of a Honey Pot.  Honey Pots are good to attract crackers.  The idea behind a good honey pot is to make it so that the cracker doesn't get access to other crucial machines or outside your network.  That may be a little more advanced.3

Commented:
All the ideas above are really nice and the general constant seems to be snort as an IDS. It would be nice to also think of tripwire. One thing about tripwire is that you need to keep the tripwire database on non witeable media normally I do this on a CDROM otherwise the attacker can simply edit the database or simpyl re-run tripwire and cover their tracks.

Personally I use cvs to keep track of all the important files on my system. This is because I usually also want to know exactly which line was changed . Also because I am not the only admin ( read root) on the machine so I usually need to undo other people's mistakes.

cheers,

Noah.
Kelly BlackSenior Linux / DBA / DEVOPS

Commented:
Too bad nobody got the points eh?
Pari;

I am going to answer this in a different way having thought about what you asked.

Before you obtain an IDS system of any type understand the following.

1 what the "normal" activity of the host or network system should be. There are such things as host based ids systems tripwire being one.

2 once you understand what Nrmal means I.E. there should be only HTTP traffic on this lan segment get the ids and write rules to notify you when abnormal traffic occurs.

3 prior to installing the ids use a sniffer to view the traffic and make any reconfigurations that may be required to ensure that your definition of normal will work.

4 activate the ids
Pari;

I am going to answer this in a different way having thought about what you asked.

Before you obtain an IDS system of any type understand the following.

1 what the "normal" activity of the host or network system should be. There are such things as host based ids systems tripwire being one.

2 once you understand what Nrmal means I.E. there should be only HTTP traffic on this lan segment get the ids and write rules to notify you when abnormal traffic occurs.

3 prior to installing the ids use a sniffer to view the traffic and make any reconfigurations that may be required to ensure that your definition of normal will work.

4 activate the ids

Nick Nanos
www.securethinking.net

Author

Commented:
thanks friends
those who r all answered
bye from
pari

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial