How to build an intrusion detection system

Source: ChinaUnix

Build small Intrusion DetectionSystem
LibpcapDownloadAddress: html "target = _ blank>Http://download.chinaUnix. Net/download/0006000/5971 .shtml
Snort ::Http://www.snort.org/dl/current/snort-2.6.1.3.tar.gz
Guardian:Http://www.snort.org/dl/contrib/... guardian-1.6.tar.gz
Pcre:Http://sourceforge.net/project/s... p; release_id = 472551


Install:
① Decompress the libpcap package and enter the decompressedDirectory, Execute./configure
② ExecutionMake; Make installCommandCompileAnd install
③ Run the updatedb and locate libpcap commands. If any information is returned, the libpcap is successfully installed.
④ Decompress the pcre package and execute./configure; make install in the decompressed directory.
⑤ Decompress the snort package and enter its directory and execute./configure
Run make; make install to install snort.
Note: When executing snort./configure, you can use -- enable-smbalertsOptionThis option can send an snort alarm message to SAMBAWindowsHost.

Configure snort:
① Run cp etc/snort. conf/etc in the decompressed snort directory.
② Run mkdir/etc/snort in the decompressed snort directory.
③ InHttp://www.snort.org/pub-bin/downloads.cgiDownload snort rulesFileAnd put it in the/etc/snort directory, and unpack it.
Note: snort rules must be downloaded from registered users.
④ Run the mkdir/var/log/snort command to create the snortLogsDirectory
⑤ Vi/etc/snort. conf file, jump to row 26th, release the var HOME_NET field, and enter the network segment to be monitored in the original format.
⑥ Jump to row 114, find the var RULE_PATH field, and fill in the complete path for storing the snort rule following it. Here it is/etc/snort/rules.
7. Jump to row 3 and enter the iis_unicode_map field. Write/etc/snort/rules/unicode. map 476th
Skip to row 905th, locate the include classification. config item, and change it to include/etc/snort/rules/classification. config.
Skip to row 913rd, find the include reference. config item, and change it to include/etc/snort/rules/reference. config
Restart/usr/local/bin/snort-d-D-h 10.10.0.0/24-c/etc/snort. add conf to/etc/rc. d/rc. local file.
Note: Enter the CIDR block to be monitored after-h.AutomaticStart the NIDS intrusion detection system.
Skip/etc/snort/rules to line 953rd, find include $ RULE_PATH/bad-traffic.rules. From this line to the end, all is a collection of snort rules, according to individual needsDebugging. The value # indicates whether to enable it.
Deny recommends removing the # Before these rules, that is, releasing these rules.
# Include $ RULE_PATH/web-attacks.rules
# Include $ RULE_PATH/backdoor. rules
# Include $ RULE_PATH/shellcode. rules
# Include $ RULE_PATH/policy. rules
# Include $ RULE_PATH/porn. rules
# Include $ RULE_PATH/info. rules
# Include $ RULE_PATH/icmp-info.rules
# Include $ RULE_PATH/virus. rules
# Include $ RULE_PATH/chat. rules
# Include $ RULE_PATH/multimedia. rules
# Include $ RULE_PATH/p2p. rules
# Include $ RULE_PATH/spyware-put.rules

Configure guardian:
① Unpackage, jump to the extracted directory, and execute the following copy commands in sequence.
② Echo>/etc/guardian. ignore
③ Cp guardian. pl/usr/local/bin/
④ Cp scripts/Iptables_ Block. sh/usr/local/bin/guardian_block.sh
⑤ Cp scripts/iptables_unblock.sh/usr/local/bin/guardian_unblock.sh
⑥ Cp guardian. conf/etc/
7. Run the vi/etc/guardian. conf command to edit the guardian configuration file.
⑧ Find the HostIpAddr, remove the # above it, and fill in the local IP address behind it.
Locate the Interface and write the monitoredNicAddress name.
⑩ LogFile defines the log file of guardian.
Note: This file needs to be manually created based on the defined path.PermissionSet to 600
The IP address to be ignored by ⑪ IgnoreFile to store the file. That is, you need to add the IP address to the file without checking it.
⑫ TimeLimit defines the maximum time to block an IP address. If it is set to 99999999, there is no time limit.
⑬ AlertFile defines where to read the snort log, where it is/var/log/snort/alert, and the absolute path must be entered here.
Upload/usr/bin/perl/usr/local/bin/guardian. pl-c/etc/guardian. add the conf command to/etc/rc. d/rc. in the local file, make it run automatically at startup.

Configure Automatic update of snort rules
① Write the following script:
#! /Bin/sh
Cd/etc/snort
WgetHttp://www.snort.org/pub-bin/dow... ot-CURRENT_s.tar.gz
Tar zxvf snortrules-snapshot-CURRENT.tar.gz
Exit 0
② Save the preceding content as snortupdate. sh and use chmod a + x to grant the execution permission.
③ Place the snortupdate. sh file in the/etc/cron. daily folder, or use the crontab-e commandProgramAdd "0 3 * snortupdate. sh file storage path" to the configuration file, so that it will automatically execute the update script at every day.
SolutionAutomatic exit of guardian program
Sometimes the guardian program automatically exits, so write the following script
#! /Bin/bash
/Usr/local/bin/snort-d-D-h 10.10.0.0/24-c/etc/snort. conf
/Usr/bin/perl/usr/local/bin/guardian. pl-c/etc/guardian. conf
Save it as an executable file and put it in the/etc/cron. hourly folder so that it can be automatically started every hour.

Note:
The IDS system first uses snort for monitoring and logs. Then, it analyzes log files through the guardian program and finds malicious IP addresses.AccessThe request is automatically forwarded to iptables and the access request is denied. Therefore, iptables is required. Use the chkconfig -- level 2345 iptables on command to enable iptables to automatically start. Use chkconfig -- level 2345 crond onSetThe cron program runs automatically. snort's log file is/var/log/snort/alert

Guardian must be supported by the perl language. Install the perl language first.
Build a large-scale Intrusion Detection System
SoftwarePackage:
Mysql:Http://dev.mysql.com/
Httpd:Http://mirrors.sirium.net/pub/Apache/Httpd/httpd-2.2.4.tar.gz