Link to home
Start Free TrialLog in
Avatar of pari205
pari205

asked on

INTRUSION DETECTION

I am planning to implement an intrsion detection system
in a LINUX based LAN. Please ,Tell me What could be the possible starting point for this
Avatar of Kelly Black
Kelly Black
Flag of United States of America image

I would begin by downloading and configuring Snort, from
http://www.snort.org

You will likely need to download and install some lib files
depending on your system's installation level, but it's
fairly straight forward in the instructions...

~Kelly W. Black
Avatar of direct151
direct151

I would check out AIDE...I set it up on my debain server and it is great! There is an excellent HOWTO here:
http://www.debianplanet.com/index.php?or=7

The AIDE homepage is here:
http://www.cs.tut.fi/~rammer/aide.html

Good luck ! :)
Nick
get portsentry too  http://www.psionic.com
AIDE is only host based intrusion detection system ..

aide is more of a data integrity checker .. once the intrusion has been made .. it will tell u what files were modified( if that were in the policy list of AIDE)..
it works just like TRIPWIRE does.. tripwire now has lots of features above AIDE..

while snort is network based intrusion detection system .. NIDS.
it checks for the data passing through a network node and looks for patterns that are defined in the rule-base of snort .. to detect network intrusion attempts..

so what u can do is u shud use combination of host based IDS and network based IDS..

no security tool is complete security solution in itself
For a free, starter IDS, Snort would be your best bet.  Download it from www.snort.com and get it up and running.  Basically, do a full "developers" installation of Linux, and grab Snort.

Being an IDS, you'll have to place it appropriately in your network.  The easiest thing to do would be to connect a hub directly in front, or behind your firewall.  Put the IDS in front if you want to see lots of alerts, most of which will be blocked by the firewall.  Put the IDS behind the firewall if you want to see only those "attacks" that have made it through.

I'd recommend you place it behind your firewall for a couple of reasons...

1) You won't be bombarded by unimportant traffic
2) There is less chance of the IDS being compromised and used by malicious users.

Good luck!

Shawn Preston, CISSP
Founder, SecureThinking
www.securethinking.net
gah.. update to above message.. www.snort.org

Sorry.. too much eggnog!

Shawn Preston, CISSP
Founder, SecureThinking
www.securethinking.net
*ping*
I use 'snort', and 'tripwire'.

If you use snort properly, then theres probably no need for tripwire, but tripwire does give you a nice warm fuzzy feeling that all is well:)
My recommendation would be for snort as well. Further, you may want to check into the ACID frontend for good reporting on the snort data. I believe it can be found at www.andrew.cmu.edu/~rdanyliw/snort/snortacid.html

Hope this helps!
I have also used snort and tripwire. Another approach that I have used in the past which was very effective was time consuming but well worth the effort.
1 monitor the most critical machine logs extracting normal traffic for a reasonable period of time. Extracting the information that is not suspicious into a file.
2 write a small shell script or pearl script to execute a grep using exclude with the file created from the monitoring as the source of what gets excluded)
3 have the script notify you in some way when something out of the ordinary happens.

About IDS, placement of the IDS is crucial especially for snort. If you have every possible traffic type on the monitored segment the logs will become useless within seconds. These devices can produce 300 lines per second on a busy network. That is the equivilant of the encyclopedia britanica every hour (read that if you can :-) restrict what is peculiar that it may see and reduce the information it generates and it will be useful.

Nicholas Nanos

SecureThinking
www.securethinking.net

"Where Information Security Evolves"
you may also want to try chkrootkit, it's updated regularly and fits on a floppy disk so you can scan your system regularly for signs of a rootkit on your system.

and the number 1 thing that you should implement on your system.....regular backups!
Snort + MySQL + ACID (already enough URLs posted, or use Google)

Don't give the box your going to setup the IDS on an IP and plug it in where it's going to see all the network traffic, eg the admin port of a switch.
ASKER CERTIFIED SOLUTION
Avatar of notjames
notjames

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
All the ideas above are really nice and the general constant seems to be snort as an IDS. It would be nice to also think of tripwire. One thing about tripwire is that you need to keep the tripwire database on non witeable media normally I do this on a CDROM otherwise the attacker can simply edit the database or simpyl re-run tripwire and cover their tracks.

Personally I use cvs to keep track of all the important files on my system. This is because I usually also want to know exactly which line was changed . Also because I am not the only admin ( read root) on the machine so I usually need to undo other people's mistakes.

cheers,

Noah.
Too bad nobody got the points eh?
Pari;

I am going to answer this in a different way having thought about what you asked.

Before you obtain an IDS system of any type understand the following.

1 what the "normal" activity of the host or network system should be. There are such things as host based ids systems tripwire being one.

2 once you understand what Nrmal means I.E. there should be only HTTP traffic on this lan segment get the ids and write rules to notify you when abnormal traffic occurs.

3 prior to installing the ids use a sniffer to view the traffic and make any reconfigurations that may be required to ensure that your definition of normal will work.

4 activate the ids
Pari;

I am going to answer this in a different way having thought about what you asked.

Before you obtain an IDS system of any type understand the following.

1 what the "normal" activity of the host or network system should be. There are such things as host based ids systems tripwire being one.

2 once you understand what Nrmal means I.E. there should be only HTTP traffic on this lan segment get the ids and write rules to notify you when abnormal traffic occurs.

3 prior to installing the ids use a sniffer to view the traffic and make any reconfigurations that may be required to ensure that your definition of normal will work.

4 activate the ids

Nick Nanos
www.securethinking.net
Avatar of pari205

ASKER

thanks friends
those who r all answered
bye from
pari