How To Build A Network Intrusion Detection System: Step by Step Instructions

How to Build a
Network Intrusion Detection System

Version 1.2
Step by Step Instructions
IL-TCE
Pheasant Run Resort
Wednesday February 26, 2003
Presented by:
Lee Leahu
Loyal Moses
RICIS, Inc.
Tinley Park, IL 60477-2697
Toll Free Number: 866-RICIS-77
Voice: 708-444-2690 - Toll-Free Fax: 866-99-RICIS
Introduction
We are using SuSE Linux Professional version 8.1 for our demonstration and explanations. This
process can be easily adapted to your favorite or preferred Linux distribution. If you are
undecided, we recommend and prefer the SuSE Linux distribution for it’s ease of installation and
overall distribution packaging.
There are several different types of Network Intrusion Detection Systems (NIDS). The two most
common of these are signature (pattern) based and statistical (heuristics) based systems.
Statistical based systems work by creating a baseline of the network activity. It then compares
ongoing real-time network activity to the baseline to find abnormal network activity, some of
which is undetectable by signature based systems. Statistical based intrusion detection systems
tend to generate many false positives and are extremely difficult to tune.
Signature based systems work by matching a given packet or sequence of packets that they see to
a list of known intrusion signatures. These types of systems usually miss new exploits and often
variants of older attacks. These types of systems are fairly easy to tune to minimize the number
false positives they produce and to reduce the overall noise level of the reports.
If you are deploying your first network based intrusion detection system (NIDS), we would
highly recommend you first get your feet wet using a signature based IDS.
Copyright © RICIS, Inc. 2003 2/24/2003 Page 2

How to Build a Network Intrusion Detection
System Version 1.2
Table of Contents
Overview................................................................................................................................ 4
Minimum Hardware Requirements........................................................................................ 4
Minimum Software Requirements......................................................................................... 5
Installing Linux...................................................................................................................... 6
Configure Software Packages ................................................................................................ 7
Time Zone setup .................................................................................................................... 9
Actual Installation................................................................................................................ 10
Applying Patches ................................................................................................................. 18
Installing Snort..................................................................................................................... 23
Installing Barnyard............................................................................................................... 27
Database Setup (mysql) ....................................................................................................... 29
Installing ACID.................................................................................................................... 29
Installing Oinkmaster........................................................................................................... 31
Using the ACID Console ..................................................................................................... 33
Conclusion ........................................................................................................................... 35

Overview
Minimum Hardware Requirements

To implement a Network Intrusion Detection System, you will need to have a computer that
meets the following minimum requirements:
Processor: Pentium III or equivalent Memory: 256 MB
Hard Drive: 30 GB - must be able to delete all CD or DVD Drive: Any generic CD or DVD
data on it drive
Floppy Drive: Any generic floppy drive Video Card: Any generic video card.
Network Card: 100 MB Fast Etherenet
NOTE: There have been reports of some older (pre 1999) CD ROM drives being incompatible
with SuSE Linux and other distributions. You may occasionally find some adapter cards that to
be incompatible. If you install it on a system that is no more than 3 years old, you should have
very good success. Often you only need to replace the CD/ROM or an adapter card to get the
installation to auto-detect the proper hardware and finish successfully. We have encountered
installation problems on some older Compaq Deskpro 2000s or 4000s for example. Beware that
many Linux distributions may not contain drivers for embedded SCSI, video, and network
interface controllers. Often you can get supported drivers from the manufacturer. It is best to
check first before you invest your money in a new machine.
We have had great success with the 3Com 3C905 network interface cards. The more memory
and CPU you give a NIDS the better. When you go to deploy your NIDS in production, consider
a dual processor Pentium III 750 or better with at least a 1GB of RAM and 60GBs or more of
disk space. Your log files can get rather large.
Please see the Linux Hardware-HOWTO for a complete list of supported hardware.
http://www.ibiblio.org/pub/Linux/docs/HOWTO/Hardware-HOWTO

Minimum Software Requirements
MySQL Database Server MySQL Database Development Libraries
Apache Web Server PHP Scripting Language
GD Graphics Libraries libpcap Permiscuous Mode Packet Capture

Libraries
zlib Compression Libraries libpng PNG Graphics Libraries
jpeg-6b JPEG Library freetype True Type Font Library

Installing Linux
For demonstration purposes, we will be using a system with Linux pre-installed.
This step will take approximately 1 to 1 and 1/2 hours depending on your hardware.
It is preferable that you begin this setup with your machine completely powered off.
1. Boot your computer using the first CD-ROM disc.
2. At the boot prompt, wait for the machine to automatically begin the installation.
3. Select your language.
4. If you are prompted for an installation type, select New Installation.

You should see a screen with various installation options you can adjust.
We will now configure partitions.
5. Click on Partitioning
6. Select on 'Create custom partition setup and click 'Next'
How to Build a Network Intrusion Detection System Version 1.2
7. Select '1: 1. IDE ......' and click on 'Next'

8. Click on 'Use entire hard disk' and click on 'Next'
You should have been returned to the installation types screen..
Configure Software Packages

We will now configure the software packages to be installed.
9. Click on 'Software'
10. Click on 'Detailed selection'
11. Select the following categories in addition to the pre-selected categories:

• 'All of KDE'
• 'Gnome system'
• 'Simple Webserver'
• 'LDAP Server and Tools'
• 'Network/Server'
• 'C/C++ Compiler and Tools'
• 'Advanced Development'
• 'Tcl/Tk Development System'
12. Click the down-array on the Filter drop down list.
13. Select 'Search' item.
14. Type 'mysql' into the search field and click on 'Search'

15. Check the box next to the item 'mysql-devel' if it is not checked already.
16. Click on 'Accept'
You should have been returned to the installation types screen.
Time Zone setup

We will now configure the server for the proper timezone.
17. Click on 'Time zone'
18. Select your timezone
19. Select Hardware clock; set to localtime

20. Click 'Accept'
You should have been returned to the installation types screen.
Actual Installation
We are now ready to begin the installation.
21. Click 'Yes, install'
Wait while the system installs select packages off CD 1.(If you wish, you can click 'Details' to
see a description of every package that is being installed.)
When prompted to do so, insert CD 2.

Wait while the system installs packages from CD 2.

Create the root user's password.

22. Create and enter a password for the root user. Write down this password.
23. Click on 'Expert Options'

24. Select 'Blowfish' for the Password Encryption
25. Click 'Ok'
26. Click 'Next'

Create a normal user account.

27. Create a normal user account for yourself by completing the following details:
• First name
• Last name
• User login
• Enter a password
• Re-enter the password for verification
28. Check 'Forward roots mail to this user'
29. Click 'Next'

Create video settings.

Since this is a server, we don't want to have a graphical desktop running. It takes resources that
should be used by more important processes.
30. If prompted to prepare 3D for your video card, Click 'No'
31. Click 'Text mode only -- no graphical desktop'
32. Click 'Accept'
Wait while the system writes its configuration.
Configure Devices
We will now configure the devices that the system detected.
33. Click 'Skip detection' at the printer detection prompt.
34. Click on 'Network interfaces'
35. Click on 'Change'
36. Click on the first network card in the list
37. Click on 'Edit'
In a production environment, you must use a static IP address.
For classroom demonstration purposes only, you may use a dynamic IP address.

38. Click on 'Static address setup'
39. Enter the IP Address and Subnet mask

40. Click on 'Host name and name server'

41. Type in the host name and domain name for this machine.
42. Type in the name servers to use

43. Type in the default domain names to search.
44. Click 'Next'

45. Click 'Routing'

46. Enter the IP address of you default gateway
47. Click 'Next'

48. Click 'Next'
49. Click 'Finish'
You should have arrived back to the system device configuration screen.
51. Click 'Next'
Wait while the system finishes the installation and continues to boot.

Applying Patches
This step should take approximately 1/2 hour on a high-speed internet connection.
1. Login to the system using the root account.
2. Type the following command and press enter:

yast2
Tips on navigating the yast2 program:
• Tab key: Switches the focus to the next item.
• Enter key: Selects the currently focused item.
• Down-arrow key: Opens up a drop-down list.
• Escape key: Closes a drop-down list.

3. Select 'Software' in the menu on the left.

4. Select 'Online Update' in the menu on the right.
5. Select 'Expert'

6. Select 'HTTP'
7. Select 'Ok'

8. Enter 'ftp.leo.org' into the Server Name field.
9. Enter 'pub/comp/os/unix/linux/suse/suse' into the Directory on Server field.

10. Select 'Ok'
11. Select 'Next'
Wait while the system downloads a list of patches and their descriptions.
You will be shown a new window with a list of selected patches. The system will automatically
select the patches based on the packages that you have installed.

12. Select 'Ok'.
Wait while the system downloads the patches, installs them, and writes the configuration files.
The system will alert you when installation is complete.

13. Select 'Ok'.
14. Select 'Finish'.

15. Select 'Quit'.
16. Reboot the server by entering the following command and press enter:
shutdown -r now
Repeat this process until the system informs you that there are no more patches available.
Installing Snort
To learn more about Snort, please visit the Snort website, www.snort.org.
This step should take approximately 1/2 hour.

Download snort itself.

2. Type the following commands and press enter after each one:
cd /usr/local/src
wget http://www.snort.org/dl/snort-1.9.0.tar.gz
mkdir snort
mv snort-1.9.0.tar.gz snort
cd snort
tar -xzvf snort-1.9.0.tar.gz
cd snort-1.9.0
./configure
make
make install
Download and install the signature rules for snort.
cd /usr/local/src
wget http://www.snort.org/dl/rules/snortrules-stable.tar.gz
mkdir snort-rules
mv snortrules-stable.tar.gz snort-rules
cd snort-rules
tar -xzvf snortrules-stable.tar.gz
cd rules
mkdir /etc/snort
cp -a * /etc/snort
Configure snort
We need to gather some information about our network interface before we configure snort.
Preparation
route
-n
5. Find the entry that has '0.0.0.0' in the Gateway field.
Write down the value in the destination field to the left of the '0.0.0.0' value - This is your
local network address.
Write down the value in the genmask field to the right of the '0.0.0.0' value - this is your
local network mask.

Actual Configuration
We need to configure snort now.
cd /usr/local/src
wget http://www.snort.org/dl/rules/snortrules-stable.tar.gz
mkdir snort-rules
mv snortrules-stable.tar.gz snort-rules
cd snort-rules
tar -xzvf snortrules-stable.tar.gz
cd rules
mkdir /etc/snort
cp -a * /etc/snort
We need to gather some information about our network interface before we configure snort.
pico /etc/snort/snort.conf
8. Find the line that reads 'var HOME_NET any'.
Change that line to read 'var HOME_NET <address of your local network that you wrote
down>'.
If the local network mask is '255.0.0.0', append a '/8' to the end of the line.
9. Find the line that reads 'var RULE_PATH ../rules'.
Change that line to read 'var RULE_PATH ./'.
10. Find the line that reads 'preprocessor stream4_reassemble'.
Change that line to read 'preprocessor stream4_reassemble: both'.
11. Find the line that reads '# output log_unified: filename snort.log, limit 128'.
Change that line to read 'output log_unified: filename snort.log, limit 1024'.
12. Change every line that begins with '# include $RULE_PATH/' to begin with 'include
$RULE_PATH/'.
13. Press Control-W
14. Press Control-X

We need to setup snort to run automatically when the system boots up.
cd /usr/local/src/snort/snort-1.9.0/contrib
pico S99snort
16. Find the line that reads 'CONFIG=/usr/local/share/snort/snort.conf'.
Change that line to read 'CONFIG=/etc/snort/snort.conf'.
17. Press Control-W
18. Press Control-X
mkdir /var/log/snort
cp S99snort /etc/rc.d/snort
cd /etc/rc.d/
chmod +x snort
ln -s snort rc0.d/K01snort
ln -s snort rc3.d/S99snort
ln -s snort rc5.d/S99snort
ln -s snort rc6.d/K01snort
./snort start
ps -aux | grep snort
If you see an line that looks similar to
'/usr/local/bin/snort -c /etc/snort/snort.conf -i eth0 -g nogroup -D'
then snort has been installed and configured successfully.

Installing Barnyard
To learn more about Barnyard, please visit the Snort website, www.snort.org.
This step should take approximately 1/2 hour.
Download Barnyard.
cd /usr/local/src
wget http://www.snort.org/dl/barnyard/barnyard-0.1.0.tar.gz
mkdir barnyard
mv barnyard-0.1.0.tar.gz barnyard
tar -xzvf barnyard-0.1.0.tar.gz
cd barnyard-0.1.0
./configure --enable-mysql
make
make install
Configure Barnyard.
pico etc/barnyard.conf
4. Find the line that reads '# config daemon'.

Change it to 'config daemon'.
5. Find the line that reads 'config hostname: snorthost'.
Change it to read 'config hostname: '.
6. Find the line that reads 'config interface: fxp0'.
Change it to read 'config interface: <interface that snort uses, usually eth0>'.
7. Find the line that reads 'config filter: not port 22'.
Change it to read 'config filter:'.
8. Comment out the line that reads 'output alert_fast' by inserting a '#' at the beginning of it.
9. Comment out the line that reads 'output log_dump' by inserting a '#' at the beginning of it.

10. Find the line that reads '# output log_acid_db: mysql, database snort, server localhost, user
root, detail full'.
Change it to read 'output log_acid_db: mysql, database snort, server localhost, user root,
detail full'.
11. Press Control-W
12. Press Control-X
cp barnyard.conf /etc/snort
Setup barnyard to run automatically when the system boots up.
pico /etc/rc.d/snort
15. Find the line that reads 'CONFIG=/etc/snort/snort.conf'.
16. Put a few blank lines after that line.
17. Type in the line 'BCONFIG=/etc/snort/barnyard.conf' and press enter.
18. Type in the line 'SLOGS=/var/log/snort' and press enter.
19. Type in the line 'SLOGFILE=snort.log' and press enter.
20. Put a few blank lines after those lines.
21. Find the line that reads '$SNORT_PATH/snort -c $CONFIG -i $IFACE -g $SNORT_GID
$OPTIONS'.
Type in on a new line after that '$SNORT_PATH/barnyard -c $BCONFIG -d $SLOGS -f
$SLOGFILE' and press enter.
22. Find the line that reads 'kill -TERM `pidof $SNORT_PATH/snort`'.
Type in on a new line after that 'kill -TERM `pidof $SNORT_PATH/barnyard`' and press
enter.
23. Press Control-W
24. Press Control-X

Database Setup (mysql)

To learn more about mysql, please see the mysql website, www.mysql.com.
This step should take approximately 5 minutes.
cd /usr/local/src/snort/snort-1.9.0/contrib
mysqladmin -u root create snort
mysql -u root snort
Installing ACID
This step should take approximately 1 hour.
First, prepare the Apache server.
cd /srv
mv www www_old
mkdir www
mkdir www/htdocs
Next, download and install ADODB.
To learn more about ADODB, please see the ADODB website,
http://php.weblogs.com/ADODB.
cd /usr/local/src
wget http://phplens.com/lens/dl/adodb311.tgz
mkdir adodb
mv adodb311.tgz adodb
cd adodb
tar -xzvf adodb311.tgz
cp -a adodb /srv/www/htdocs

Download and install JPGraph.

To learn more about JPGraph, please see the website, http://www.aditus.nu/jpgraph/index.php.
cd /usr/local/src
wget http://www.aditus.nu/jpgraph/downloads/jpgraph-1.11.tar.gz
mkdir jpgraph
mv jpgraph-1.11.tar.gz jpgraph
cd jpgraph
tar -xzvf jpgraph-1.11.tar.gz
cp -a jpgraph-1.11/src /srv/www/htdocs/jpgraph
Download and install ACID itself.
To learn more about ACID, please see the ACID website,
http://www.andrew.cmu.edu/~rdanyliw/snort/snortacid.html.
cd /usr/local/src
wget http://www.andrew.cmu.edu/~rdanyliw/snort/acid-0.9.6b23.tar.gz
mkdir acid
mv acid-0.9.6b23.tar.gz acid
cd acid
tar -xzvf acid-0.9.6b23.tar.gz
cp -a acid /srv/www/htdocs/acid
Configure ACID.
echo "<php header('Location: /acid/'); ?%gt;"
/srv/www/htdocs/index.php
pico /srv/www/htdocs/acid/acid_conf.php
7. Find the line that reads '$DBlib_path = "";'.
Change this line to read '$DBlib_path = "/srv/www/htdocs/adodb/";'.
8. Find the line that reads '$alert_dbname = "snort_log";'.
Change this line to read '$alert_dbname = "snort";'
9. Find the line that reads '$alert_password = "mypassword";'.
Change this line to read '$alert_password = "";'
10. Find the line that reads '$archive_dbname = "snort_archive";'.
Change this line to read '$archive_dbname = "snort";'
11. Find the line that reads '$archive_password = "mypassword";'.
Change this line to read '$archive_password = "";'

12. Find the line that reads '$ChartLib_path = "";'.

Change this line to read '$ChartLib_path = "/srv/www/htdocs/jpgraph";'
13. Find the line that reads '$portscan_file = "";'
Change this line to read '$portscan_file = "/var/log/snort/scan.log";'
14. Press Control-W
15. Press Control-X
16. Open a web browser on your workstation.
17. Type in the IP address of the IDS server and press enter
18. Click on 'Setup Page'.
19. Click on 'Create ACID AG'
20. Click on 'Main Page'
Installing Oinkmaster
To learn more about Oinkmaster, please visit the Snort website, www.snort.org.
This step should take approximately 15 minutes.
cd /usr/local/src
wget
http://www.snort.org/dl/contrib/rule_management/oinkmaster/oinkmaste
r-0.6.tar.gz
mkdir oinkmaster
mv oinkmaster-0.6.tar.gz oinkmaster
cd oinkmaster
tar -xzvf oinkmaster-0.6.tar.gz
cd oinkmaster-0.6
pico oinkmaster.conf
3. Comment out the line 'skipfile sid-msg.map' by inserting a '#' symbol at the beginning of
the line.
4. Press Control-W
5. Press Control-X

groupadd oinkmaster
useradd -d /usr/local/oinkmaster -s /bin/bash -g oinkmaster
oinkmaster
mkdir /usr/local/oinkmaster
cp oinkmaster.pl /usr/local/oinkmaster
cp oinkmaster.conf /usr/local/oinkmaster
chown -R oinkmaster /usr/local/oinkmaster
chmod -R 700 /usr/local/oinkmaster
chown -R root:oinkmaster /etc/snort
chmod -R 774 /etc/snort
crontab -u oinkmaster -e
You are now in the editor called VI. We will define a job that runs oinkmaster every 2 hours.
7. Type 'i' to enter INSERT mode.
8. Type '30 2 * * * cd /usr/local/oinkmaster; TMP=`mktemp /tmp/oinkmaster.XXXXXX` &&
(./oinkmaster.pl -o /etc/snort -q > $TMP 2>&1; if [ -s $TMP ]; then mail -s "Snort Rules
Update" your@emailaddress < $TMP; fi; rm $TMP)'
9. Press the Escape key to exit INSERT mode.
10. Type ':wq' to save and exit.

Using the ACID console

1. Open a web browser on your local machine.
2. Type in the ip address of the server.
The ACID console is very easy to use. On the left side you will see how many unique and total
alerts. On the right side, you will see a percentage of how many alerts or tcp, udp, or icmp
related.

To view all the unique alerts that have occurred, click on the number in blue just
to the right of the 'Unique Alerts' label. You will see the alerts in the order of
when they occurred last. To change the sorting order, just click on the blue
arrows on either side of any of the table column labels

Conclusion
This document used SuSE Linux Professional version 8.1 as basis for its demonstration of how
to build your own Network Intrusion Detection System. You should be able to adapt this
presentation to your preferred Linux distribution. If you experience any difficulties with the
installation of Linux or getting any of the programs to work, consider trying this on newer
hardware and with SuSE Linux Professional version 8.1.
This tutorial explained the different types of Network Intrusion Detection Systems and made a
recommendation that your first experience should be with a signature (pattern) based system.
This document explained the minimum hardware and software requirements for the system, how
to install Linux and to apply current system patches. It showed you how install Snort, Barnyard,
ACID, and Oinkmaster, and how build the Barnyard database to store the alerts. It also
demonstrated how to use the ACID console to review the alerts and Oinkmaster to keep the
signatures current.
After completing all the steps in this document, you should be seeing alerts in your ACID
console whenever any machine tries to probe your system. You will likely see a lot of white
noise as well. Typically you will see your management console or your ISP sending ICMP
(pings) or SNMP requests to other machines on your network. This is normal traffic in most
networks, so you likely will want to make some local rules to ignore this traffic. You may also
see other types of traffic that you consider normal. Here to you will want to build some rules in
the Snort local rule set to ignore this traffic. Once you have eliminated the white noise you
should be able to focus on any real threats that your network is experiencing.

How To Build A Network Intrusion Detection System: Step by Step Instructions

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

How To Build A Network Intrusion Detection System: Step by Step Instructions

Încărcat de

Drepturi de autor:

Formate disponibile

How to Build a

Network Intrusion Detection System

Step by Step Instructions

Copyright © RICIS, Inc. 2003 2/24/2003 Page 2

Copyright © RICIS, Inc. 2003 2/24/2003 Page 3

Minimum Hardware Requirements

Processor: Pentium III or equivalent Memory: 256 MB

Network Card: 100 MB Fast Etherenet

Copyright © RICIS, Inc. 2003 2/24/2003 Page 4

Apache Web Server PHP Scripting Language

GD Graphics Libraries libpcap Permiscuous Mode Packet Capture

zlib Compression Libraries libpng PNG Graphics Libraries

jpeg-6b JPEG Library freetype True Type Font Library

Copyright © RICIS, Inc. 2003 2/24/2003 Page 5

4. If you are prompted for an installation type, select New Installation.

7. Select '1: 1. IDE ......' and click on 'Next'

Configure Software Packages

11. Select the following categories in addition to the pre-selected categories:

Copyright © RICIS, Inc. 2003 2/24/2003 Page 7

Copyright © RICIS, Inc. 2003 2/24/2003 Page 8

Time Zone setup

19. Select Hardware clock; set to localtime

Copyright © RICIS, Inc. 2003 2/24/2003 Page 10

Wait while the system installs packages from CD 2.

Copyright © RICIS, Inc. 2003 2/24/2003 Page 11

Create the root user's password.

23. Click on 'Expert Options'

Copyright © RICIS, Inc. 2003 2/24/2003 Page 12

Create a normal user account.

Copyright © RICIS, Inc. 2003 2/24/2003 Page 13

Create video settings.

Copyright © RICIS, Inc. 2003 2/24/2003 Page 14

38. Click on 'Static address setup'

39. Enter the IP Address and Subnet mask

Copyright © RICIS, Inc. 2003 2/24/2003 Page 15

42. Type in the name servers to use

Copyright © RICIS, Inc. 2003 2/24/2003 Page 16

45. Click 'Routing'

47. Click 'Next'

Copyright © RICIS, Inc. 2003 2/24/2003 Page 17

2. Type the following command and press enter:

Tips on navigating the yast2 program:

• Tab key: Switches the focus to the next item.

• Enter key: Selects the currently focused item.

• Down-arrow key: Opens up a drop-down list.

• Escape key: Closes a drop-down list.

Copyright © RICIS, Inc. 2003 2/24/2003 Page 18

4. Select 'Online Update' in the menu on the right.

Copyright © RICIS, Inc. 2003 2/24/2003 Page 19

Copyright © RICIS, Inc. 2003 2/24/2003 Page 20

8. Enter 'ftp.leo.org' into the Server Name field.

9. Enter 'pub/comp/os/unix/linux/suse/suse' into the Directory on Server field.

Copyright © RICIS, Inc. 2003 2/24/2003 Page 21

12. Select 'Ok'.

Copyright © RICIS, Inc. 2003 2/24/2003 Page 22

13. Select 'Ok'.

14. Select 'Finish'.

Copyright © RICIS, Inc. 2003 2/24/2003 Page 23

Download snort itself.

Copyright © RICIS, Inc. 2003 2/24/2003 Page 24

Copyright © RICIS, Inc. 2003 2/24/2003 Page 25

Copyright © RICIS, Inc. 2003 2/24/2003 Page 26

4. Find the line that reads '# config daemon'.