Documente Academic
Documente Profesional
Documente Cultură
IL-TCE
Pheasant Run Resort
Wednesday February 26, 2003
Presented by:
Lee Leahu
Loyal Moses
RICIS, Inc.
Tinley Park, IL 60477-2697
Toll Free Number: 866-RICIS-77
Voice: 708-444-2690 - Toll-Free Fax: 866-99-RICIS
Introduction
We are using SuSE Linux Professional version 8.1 for our demonstration and explanations. This
process can be easily adapted to your favorite or preferred Linux distribution. If you are
undecided, we recommend and prefer the SuSE Linux distribution for it’s ease of installation and
overall distribution packaging.
There are several different types of Network Intrusion Detection Systems (NIDS). The two most
common of these are signature (pattern) based and statistical (heuristics) based systems.
Statistical based systems work by creating a baseline of the network activity. It then compares
ongoing real-time network activity to the baseline to find abnormal network activity, some of
which is undetectable by signature based systems. Statistical based intrusion detection systems
tend to generate many false positives and are extremely difficult to tune.
Signature based systems work by matching a given packet or sequence of packets that they see to
a list of known intrusion signatures. These types of systems usually miss new exploits and often
variants of older attacks. These types of systems are fairly easy to tune to minimize the number
false positives they produce and to reduce the overall noise level of the reports.
If you are deploying your first network based intrusion detection system (NIDS), we would
highly recommend you first get your feet wet using a signature based IDS.
Overview................................................................................................................................ 4
Minimum Hardware Requirements........................................................................................ 4
Minimum Software Requirements......................................................................................... 5
Installing Linux...................................................................................................................... 6
Configure Software Packages ................................................................................................ 7
Time Zone setup .................................................................................................................... 9
Actual Installation................................................................................................................ 10
Applying Patches ................................................................................................................. 18
Installing Snort..................................................................................................................... 23
Installing Barnyard............................................................................................................... 27
Database Setup (mysql) ....................................................................................................... 29
Installing ACID.................................................................................................................... 29
Installing Oinkmaster........................................................................................................... 31
Using the ACID Console ..................................................................................................... 33
Conclusion ........................................................................................................................... 35
Hard Drive: 30 GB - must be able to delete all CD or DVD Drive: Any generic CD or DVD
data on it drive
Floppy Drive: Any generic floppy drive Video Card: Any generic video card.
NOTE: There have been reports of some older (pre 1999) CD ROM drives being incompatible
with SuSE Linux and other distributions. You may occasionally find some adapter cards that to
be incompatible. If you install it on a system that is no more than 3 years old, you should have
very good success. Often you only need to replace the CD/ROM or an adapter card to get the
installation to auto-detect the proper hardware and finish successfully. We have encountered
installation problems on some older Compaq Deskpro 2000s or 4000s for example. Beware that
many Linux distributions may not contain drivers for embedded SCSI, video, and network
interface controllers. Often you can get supported drivers from the manufacturer. It is best to
check first before you invest your money in a new machine.
We have had great success with the 3Com 3C905 network interface cards. The more memory
and CPU you give a NIDS the better. When you go to deploy your NIDS in production, consider
a dual processor Pentium III 750 or better with at least a 1GB of RAM and 60GBs or more of
disk space. Your log files can get rather large.
Please see the Linux Hardware-HOWTO for a complete list of supported hardware.
http://www.ibiblio.org/pub/Linux/docs/HOWTO/Hardware-HOWTO
• 'All of KDE'
• 'Gnome system'
• 'Simple Webserver'
• 'LDAP Server and Tools'
• 'Network/Server'
• 'C/C++ Compiler and Tools'
• 'Advanced Development'
• 'Tcl/Tk Development System'
12. Click the down-array on the Filter drop down list.
13. Select 'Search' item.
14. Type 'mysql' into the search field and click on 'Search'
15. Check the box next to the item 'mysql-devel' if it is not checked already.
16. Click on 'Accept'
You should have been returned to the installation types screen.
Actual Installation
We are now ready to begin the installation.
21. Click 'Yes, install'
Wait while the system installs select packages off CD 1.(If you wish, you can click 'Details' to
see a description of every package that is being installed.)
When prompted to do so, insert CD 2.
• First name
• Last name
• User login
• Enter a password
• Re-enter the password for verification
28. Check 'Forward roots mail to this user'
29. Click 'Next'
Configure Devices
We will now configure the devices that the system detected.
33. Click 'Skip detection' at the printer detection prompt.
34. Click on 'Network interfaces'
35. Click on 'Change'
36. Click on the first network card in the list
37. Click on 'Edit'
In a production environment, you must use a static IP address.
For classroom demonstration purposes only, you may use a dynamic IP address.
41. Type in the host name and domain name for this machine.
Applying Patches
This step should take approximately 1/2 hour on a high-speed internet connection.
1. Login to the system using the root account.
5. Select 'Expert'
6. Select 'HTTP'
7. Select 'Ok'
Wait while the system downloads the patches, installs them, and writes the configuration files.
The system will alert you when installation is complete.
Repeat this process until the system informs you that there are no more patches available.
Installing Snort
To learn more about Snort, please visit the Snort website, www.snort.org.
This step should take approximately 1/2 hour.
1. Login to the system using the root account.
Preparation
4. Type the following commands and press enter after each one:
route
-n
5. Find the entry that has '0.0.0.0' in the Gateway field.
Write down the value in the destination field to the left of the '0.0.0.0' value - This is your
local network address.
Write down the value in the genmask field to the right of the '0.0.0.0' value - this is your
local network mask.
Actual Configuration
We need to configure snort now.
6. Type the following commands and press enter after each one:
cd /usr/local/src
wget http://www.snort.org/dl/rules/snortrules-stable.tar.gz
mkdir snort-rules
mv snortrules-stable.tar.gz snort-rules
cd snort-rules
tar -xzvf snortrules-stable.tar.gz
cd rules
mkdir /etc/snort
cp -a * /etc/snort
We need to gather some information about our network interface before we configure snort.
7. Type the following commands and press enter after each one:
pico /etc/snort/snort.conf
8. Find the line that reads 'var HOME_NET any'.
Change that line to read 'var HOME_NET <address of your local network that you wrote
down>'.
If the local network mask is '255.0.0.0', append a '/8' to the end of the line.
If the local network mask is '255.255.0.0', append a '/16' to the end of the line.
If the local network mask is '255.255.255.0', append a '/24' to the end of the line.
9. Find the line that reads 'var RULE_PATH ../rules'.
Change that line to read 'var RULE_PATH ./'.
10. Find the line that reads 'preprocessor stream4_reassemble'.
Change that line to read 'preprocessor stream4_reassemble: both'.
11. Find the line that reads '# output log_unified: filename snort.log, limit 128'.
Change that line to read 'output log_unified: filename snort.log, limit 1024'.
12. Change every line that begins with '# include $RULE_PATH/' to begin with 'include
$RULE_PATH/'.
13. Press Control-W
14. Press Control-X
We need to setup snort to run automatically when the system boots up.
15. Type the following commands and press enter after each one:
cd /usr/local/src/snort/snort-1.9.0/contrib
pico S99snort
16. Find the line that reads 'CONFIG=/usr/local/share/snort/snort.conf'.
Change that line to read 'CONFIG=/etc/snort/snort.conf'.
17. Press Control-W
18. Press Control-X
19. Type the following commands and press enter after each one:
mkdir /var/log/snort
cp S99snort /etc/rc.d/snort
cd /etc/rc.d/
chmod +x snort
ln -s snort rc0.d/K01snort
ln -s snort rc3.d/S99snort
ln -s snort rc5.d/S99snort
ln -s snort rc6.d/K01snort
./snort start
ps -aux | grep snort
If you see an line that looks similar to
'/usr/local/bin/snort -c /etc/snort/snort.conf -i eth0 -g nogroup -D'
then snort has been installed and configured successfully.
Installing Barnyard
To learn more about Barnyard, please visit the Snort website, www.snort.org.
This step should take approximately 1/2 hour.
1. Login to the system using the root account.
Download Barnyard.
2. Type the following commands and press enter after each one:
cd /usr/local/src
wget http://www.snort.org/dl/barnyard/barnyard-0.1.0.tar.gz
mkdir barnyard
mv barnyard-0.1.0.tar.gz barnyard
tar -xzvf barnyard-0.1.0.tar.gz
cd barnyard-0.1.0
./configure --enable-mysql
make
make install
Configure Barnyard.
3. Type the following commands and press enter after each one:
pico etc/barnyard.conf
10. Find the line that reads '# output log_acid_db: mysql, database snort, server localhost, user
root, detail full'.
Change it to read 'output log_acid_db: mysql, database snort, server localhost, user root,
detail full'.
11. Press Control-W
12. Press Control-X
13. Type the following commands and press enter after each one:
cp barnyard.conf /etc/snort
Setup barnyard to run automatically when the system boots up.
14. Type the following commands and press enter after each one:
pico /etc/rc.d/snort
15. Find the line that reads 'CONFIG=/etc/snort/snort.conf'.
16. Put a few blank lines after that line.
17. Type in the line 'BCONFIG=/etc/snort/barnyard.conf' and press enter.
18. Type in the line 'SLOGS=/var/log/snort' and press enter.
19. Type in the line 'SLOGFILE=snort.log' and press enter.
20. Put a few blank lines after those lines.
21. Find the line that reads '$SNORT_PATH/snort -c $CONFIG -i $IFACE -g $SNORT_GID
$OPTIONS'.
Type in on a new line after that '$SNORT_PATH/barnyard -c $BCONFIG -d $SLOGS -f
$SLOGFILE' and press enter.
22. Find the line that reads 'kill -TERM `pidof $SNORT_PATH/snort`'.
Type in on a new line after that 'kill -TERM `pidof $SNORT_PATH/barnyard`' and press
enter.
23. Press Control-W
24. Press Control-X
cd /usr/local/src/snort/snort-1.9.0/contrib
mysqladmin -u root create snort
mysql -u root snort
Installing ACID
This step should take approximately 1 hour.
1. Login to the system using the root account.
First, prepare the Apache server.
2. Type the following commands and press enter after each one:
cd /srv
mv www www_old
mkdir www
mkdir www/htdocs
Next, download and install ADODB.
To learn more about ADODB, please see the ADODB website,
http://php.weblogs.com/ADODB.
3. Type the following commands and press enter after each one:
cd /usr/local/src
wget http://phplens.com/lens/dl/adodb311.tgz
mkdir adodb
mv adodb311.tgz adodb
cd adodb
tar -xzvf adodb311.tgz
cp -a adodb /srv/www/htdocs
cd /usr/local/src
wget http://www.andrew.cmu.edu/~rdanyliw/snort/acid-0.9.6b23.tar.gz
mkdir acid
mv acid-0.9.6b23.tar.gz acid
cd acid
tar -xzvf acid-0.9.6b23.tar.gz
cp -a acid /srv/www/htdocs/acid
Configure ACID.
6. Type the following commands and press enter after each one:
echo "<php header('Location: /acid/'); ?%gt;"
/srv/www/htdocs/index.php
pico /srv/www/htdocs/acid/acid_conf.php
7. Find the line that reads '$DBlib_path = "";'.
Change this line to read '$DBlib_path = "/srv/www/htdocs/adodb/";'.
8. Find the line that reads '$alert_dbname = "snort_log";'.
Change this line to read '$alert_dbname = "snort";'
9. Find the line that reads '$alert_password = "mypassword";'.
Change this line to read '$alert_password = "";'
10. Find the line that reads '$archive_dbname = "snort_archive";'.
Change this line to read '$archive_dbname = "snort";'
11. Find the line that reads '$archive_password = "mypassword";'.
Change this line to read '$archive_password = "";'
Installing Oinkmaster
To learn more about Oinkmaster, please visit the Snort website, www.snort.org.
This step should take approximately 15 minutes.
1. Login to the system using the root account.
2. Type the following commands and press enter after each one:
cd /usr/local/src
wget
http://www.snort.org/dl/contrib/rule_management/oinkmaster/oinkmaste
r-0.6.tar.gz
mkdir oinkmaster
mv oinkmaster-0.6.tar.gz oinkmaster
cd oinkmaster
tar -xzvf oinkmaster-0.6.tar.gz
cd oinkmaster-0.6
pico oinkmaster.conf
3. Comment out the line 'skipfile sid-msg.map' by inserting a '#' symbol at the beginning of
the line.
4. Press Control-W
5. Press Control-X
6. Type the following commands and press enter after each one:
groupadd oinkmaster
useradd -d /usr/local/oinkmaster -s /bin/bash -g oinkmaster
oinkmaster
mkdir /usr/local/oinkmaster
cp oinkmaster.pl /usr/local/oinkmaster
cp oinkmaster.conf /usr/local/oinkmaster
chown -R oinkmaster /usr/local/oinkmaster
chmod -R 700 /usr/local/oinkmaster
chown -R root:oinkmaster /etc/snort
chmod -R 774 /etc/snort
crontab -u oinkmaster -e
You are now in the editor called VI. We will define a job that runs oinkmaster every 2 hours.
7. Type 'i' to enter INSERT mode.
8. Type '30 2 * * * cd /usr/local/oinkmaster; TMP=`mktemp /tmp/oinkmaster.XXXXXX` &&
(./oinkmaster.pl -o /etc/snort -q > $TMP 2>&1; if [ -s $TMP ]; then mail -s "Snort Rules
Update" your@emailaddress < $TMP; fi; rm $TMP)'
9. Press the Escape key to exit INSERT mode.
10. Type ':wq' to save and exit.
To view all the unique alerts that have occurred, click on the number in blue just
to the right of the 'Unique Alerts' label. You will see the alerts in the order of
when they occurred last. To change the sorting order, just click on the blue
arrows on either side of any of the table column labels
Conclusion
This document used SuSE Linux Professional version 8.1 as basis for its demonstration of how
to build your own Network Intrusion Detection System. You should be able to adapt this
presentation to your preferred Linux distribution. If you experience any difficulties with the
installation of Linux or getting any of the programs to work, consider trying this on newer
hardware and with SuSE Linux Professional version 8.1.
This tutorial explained the different types of Network Intrusion Detection Systems and made a
recommendation that your first experience should be with a signature (pattern) based system.
This document explained the minimum hardware and software requirements for the system, how
to install Linux and to apply current system patches. It showed you how install Snort, Barnyard,
ACID, and Oinkmaster, and how build the Barnyard database to store the alerts. It also
demonstrated how to use the ACID console to review the alerts and Oinkmaster to keep the
signatures current.
After completing all the steps in this document, you should be seeing alerts in your ACID
console whenever any machine tries to probe your system. You will likely see a lot of white
noise as well. Typically you will see your management console or your ISP sending ICMP
(pings) or SNMP requests to other machines on your network. This is normal traffic in most
networks, so you likely will want to make some local rules to ignore this traffic. You may also
see other types of traffic that you consider normal. Here to you will want to build some rules in
the Snort local rule set to ignore this traffic. Once you have eliminated the white noise you
should be able to focus on any real threats that your network is experiencing.