Ubuntu Intrusion Detection
“Paranoia will get you through times of no enemies better than enemies will get you through times of no paranoia”
~ Pete Granger
- Introduction ~ post #1
- Install Snort ~ post #2
- Configure snort ~ post #3
- Install base ~ post #4
- Using snort / base ~ post #5
- Install ossec-hids ~ post #6
- Install ossec-hids web interface ~ post #7
- Using ossec-hids ~ post #8
This how to was written as an extension to Ubuntu Security and is intended as an introduction to intrusion detection, Ubuntu Style.
This post is quite long, and for what I hope is greater readability, I have broken it into separate posts.
Here is a very nice link that reviews IDS :
Security Focus ~ An Introduction to Intrusion Detection Systems
And for the impatient, the readers digest version :
There are two "arms" of intrusion detection: HIDS and NIDS.
HIDS = Host-based Intrusion Detection System.
NIDS = Network-based Intrusion Detection System.
In a nut-shell, HIDS monitors you system files for unauthorized changes. Examples of this type of monitoring methodology might include techniques such as scanning for viruses, tripwire, Tiger, rkhunter, and chkrootkit.
Similarly, NIDS monitors your network traffic for DOS attacks, port scans, or other suspicious network activity. Examples include watching your firewall in Windows for alerts, snort, or Wireshark.
Although there are other options, both for applications and configuration, in this tutorial I will show you how to install ossec-hids and snort:
NIDS = snort
HIDS = ossec
Snort will monitor your network traffic by checking packets against "rules". We will configure snort to log "alerts" to a mysql database. We will then use base to display this information in a web browser (Firefox). Although seemingly foreign at first, base is a very nice web based gui front end for snort. Base is basically point and click and contains numerous links to help interpret alerts.
SNORT® is an open source network intrusion prevention and detection system utilizing a rule-driven language, which combines the benefits of signature, protocol and anomaly based inspection methods. With millions of downloads to date, Snort is the most widely deployed intrusion detection and prevention technology worldwide and has become the de facto standard for the industry.
- Note : Snort will not work with wireless interfaces, you need to use airsnort instead.
OSSEC-HIDS will monitor your log files, monitor the integrity of system files, check for root kits, and perform active response. Active response means ossec will blacklist (block connections) from potential crackers "automagically".
OSSEC will, amongst other things, monitor snort and blacklist offending ip addresses.OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, real-time alerting and active response.
Note : There are of course other options for HIDS, NIDS, as well as alternate configuration options for both snort and ossec.
You should be familiar with :
1. Installing from source (don't worry I will walk you through it).
2. Your ip address, both on your private LAN and public IP address.
3. Your netmask
- You can show your netmask withCode:sudo ifconfig | grep --color=always -e Mask -e 255
4. If you wish to access base and the OSSEC web interface outside your LAN you will need to know how to configure your router (you do have a router don't you?). In addition be sure to understand the security implications of running LAMP. In addition you may wish to use ,htaccess or ssl.
5. Installing and configuring snort will take some time, give yourself a few hours.
We will be running all commands in this tutorial as root
So either add "sudo" in front of these commands or open a terminal and obtain a root shell:Code:sudo -i