Building a cheap, powerful intrusion-detection system
- — 28 September, 2007 14:06
For brevity, this article focuses on installing a single stand-alone IDS at the network edge. For a Linux install, a desktop computer that is several years old should suffice. Figure on a minimum of 256MB of RAM, a 20GB hard drive, a 600-MHz processor and a CD drive, all features of desktop machines made within the past few years.
For installing a base Linux operating system, a machine to create the installation CD is needed. A Windows box running Burn4Free (a freeware ISO burner) will work fine. In addition, the network parameters (IP address and such) and a network connection for the IDS machine should be determined prior to the Linux installation.
Download the Fedora 7 Live ISO image or a Linux distribution of choice. Fedora 7 Live is a minimal installation of the Fedora Linux distribution that can run on a single CD, and the following instructions focus on Fedora Live 7, but they can be easily adjusted for other distributions if desired. Burn the ISO image to a CD on the Windows machine.
On the IDS machine, install the CD and set the BIOS to boot off the CD (just like a Windows install). The machine will automatically run the Fedora 7 Live distribution with no user interaction. Let it run until it has automatically logged in to the graphical user interface with the default account.
Click on the Install to Hard Drive icon. Answer the questions as they appear; most are similar to what is presented in a Windows installation. When done, remove the CD and reboot the machine. The machine is now ready for installation of the software needed to run and administer the IDS.
The needed applications
Snort essentially works on pattern matching by comparing packets to signatures of known attacks. There are literally thousands of such signatures available. Think of Snort as an intelligent sniffer: It takes a continuous trace of inbound and outbound Internet traffic and analyzes the trace by comparing against the signature database in real time. To do this manually would be impossible.
If a packet matches a pattern in a selected signature, an alert is generated. Analyzing the alerts for meaningful data is no easy task, given the amount of data and its raw format presentation. Therefore, a method is needed to collect and provide for group analysis of the data.
This example uses MySQL as the database application, but Microsoft SQL Server or Oracle may be used for the alert database as well. While populating a well-formatted database with Snort information is necessary for categorizing information, as with sniffer analysis, the process of analyzing such a database is labor-intensive.
This is where BASE comes into play. It's a Web front end to the database that presents the Snort alert data. This provides the information a network or security administrator needs to identify threats and enact controls to reduce the threats.
Other support applications needed include the Apache Web server, the GCC compiler and the PHP HTML scripting language. An excellent guide for installation of a Snort/BASE IDS system and all related applications written by Patrick Harper and Nick Oliver is available at Internet Security Guru.com. Other documentation and user forums are available at the main Snort Web site.