Reply To: Is it possible to install an IDS onto/into Zeroshell?

Home Page Forums Network Management ZeroShell Is it possible to install an IDS onto/into Zeroshell? Reply To: Is it possible to install an IDS onto/into Zeroshell?

#48675

securenet
Member

I know nothing about compiling but I found this online.

My questions:

Is there special compiling needed to install SNORT/IDS onto ZeroShell or can I simply follow the instructions listed here?

===================================

Install Snort on Linux

1. Download the latest source from Snorts Web Site

2. Unzip and Untar the source file. This will unpack the tar file to a snort directory

[root]# tar -zxvf snort.tar

3. Compile the source

[root]# cd snort-
[root]# ./configure
[root]# make
root]# make install
[root]# make clean
This will install snort /usr/local/bin/snort by default

4. Create the configuration directory and copy the configuration files over. This assumes you are in the snort directory

[root]# mkdir /etc/snort
[root]# cp -rf etc/* /etc/snort
[root]# cp -rf rules/* /etc/snort

5. Customize your snort.conf to meet your needs. This is a configuration I have found to be useful

[root]# cd /etc/snort
[root]# vi snort.conf

– Change your rule path RULE_PATH /etc/snort
var RULE_PATH /etc/snort
– Uncomment the following line ( this will cause snort to use much less resident memory ) config detection: search-method lowmem
– Make sure the flow preprocessor is NOT commented out preprocessor flow: stats_interval 0 hash 2
– Uncomment the flow-portscan if you want to detect port scans (change server- watchnet for your network) preprocessor flow-portscan:
server-watchnet [172.16.0.0/16]
unique-memcap 5000000 unique-rows 50000
tcp-penalties on
server-scanner-limit 30
alert-mode all
output-mode msg
server-learning-time 3600
– Comment out / Uncomment the rules files you want. This is my file
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
#include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/shellcode.rules
# include $RULE_PATH/policy.rules
# include $RULE_PATH/porn.rules
# include $RULE_PATH/info.rules
# include $RULE_PATH/icmp-info.rules
# include $RULE_PATH/virus.rules
# include $RULE_PATH/chat.rules
# include $RULE_PATH/multimedia.rules
# include $RULE_PATH/p2p.rules
include $RULE_PATH/experimental.rules

6. create a snort user to run the process. and create your log directory

[root]# adduser snort
[root]# mkdir /var/log/snort
[root]# chown snort:snort /var/log/snort

7. Start up snort. I just create a script to start up snort with the following command.

#!/bin/sh
/usr/local/bin/snort -A fast -d -u snort -g snort -D -c /etc/snort/snort.conf
Your alerts will be logged to /var/log/snort/alert.

I have a snort log parser written in perl that will parse the snort alerts and show today’s alerts in an easy to read format. Example log
04/06 08:06:57 TCP 24.163.219.104:80 → 67.173.96.51:2763 ATTACK-RESPONSES 403 Forbidden 1201
04/06 08:07:53 TCP 24.163.219.104:80 → 211.40.66.207:2676 ATTACK-RESPONSES 403 Forbidden 1201
04/06 08:13:51 TCP 24.163.219.104:80 → 211.40.211.115:2604 ATTACK-RESPONSES 403 Forbidden 1201
download log parse script here
If you use shorewall firewall script you can download my program SnortShorewall to proactively prevent hackers from compromising your machine. SnortShorewall will run in the background and monitor your alerts from snort and black list the ip address that attempt to hack your system. Read more about SnortShorwall here