Is it possible to install an IDS onto/into Zeroshell?

Home Page Forums Network Management ZeroShell Is it possible to install an IDS onto/into Zeroshell?

This topic contains 1 reply, has 0 voices, and was last updated by  securenet 9 years, 5 months ago.

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • #41876

    securenet
    Member

    Is it possible to install an IDS (Intrusion Detection System) onto/into Zeroshell?

    I am looking forward to having this one Box be truly the Security Center for my Network.

    #48674

    imported_fulvio
    Participant

    Probably Snort will be released as external package.

    Regards
    Fulvio

    #48675

    securenet
    Member

    I know nothing about compiling but I found this online.

    My questions:

    Is there special compiling needed to install SNORT/IDS onto ZeroShell or can I simply follow the instructions listed here?

    ===================================

    Install Snort on Linux

    1. Download the latest source from Snorts Web Site

    2. Unzip and Untar the source file. This will unpack the tar file to a snort directory

    [root]# tar -zxvf snort.tar

    3. Compile the source

    [root]# cd snort-
    [root]# ./configure
    [root]# make
    root]# make install
    [root]# make clean
    This will install snort /usr/local/bin/snort by default

    4. Create the configuration directory and copy the configuration files over. This assumes you are in the snort directory

    [root]# mkdir /etc/snort
    [root]# cp -rf etc/* /etc/snort
    [root]# cp -rf rules/* /etc/snort

    5. Customize your snort.conf to meet your needs. This is a configuration I have found to be useful

    [root]# cd /etc/snort
    [root]# vi snort.conf

    – Change your rule path RULE_PATH /etc/snort
    var RULE_PATH /etc/snort
    – Uncomment the following line ( this will cause snort to use much less resident memory ) config detection: search-method lowmem
    – Make sure the flow preprocessor is NOT commented out preprocessor flow: stats_interval 0 hash 2
    – Uncomment the flow-portscan if you want to detect port scans (change server- watchnet for your network) preprocessor flow-portscan:
    server-watchnet [172.16.0.0/16]
    unique-memcap 5000000 unique-rows 50000
    tcp-penalties on
    server-scanner-limit 30
    alert-mode all
    output-mode msg
    server-learning-time 3600
    – Comment out / Uncomment the rules files you want. This is my file
    include $RULE_PATH/local.rules
    include $RULE_PATH/bad-traffic.rules
    include $RULE_PATH/exploit.rules
    include $RULE_PATH/scan.rules
    include $RULE_PATH/finger.rules
    include $RULE_PATH/ftp.rules
    include $RULE_PATH/telnet.rules
    include $RULE_PATH/rpc.rules
    include $RULE_PATH/rservices.rules
    include $RULE_PATH/web-frontpage.rules
    include $RULE_PATH/web-misc.rules
    include $RULE_PATH/web-client.rules
    include $RULE_PATH/web-php.rules
    include $RULE_PATH/sql.rules
    include $RULE_PATH/x11.rules
    #include $RULE_PATH/icmp.rules
    include $RULE_PATH/netbios.rules
    include $RULE_PATH/misc.rules
    include $RULE_PATH/attack-responses.rules
    include $RULE_PATH/oracle.rules
    include $RULE_PATH/mysql.rules
    include $RULE_PATH/snmp.rules
    include $RULE_PATH/smtp.rules
    include $RULE_PATH/imap.rules
    include $RULE_PATH/pop2.rules
    include $RULE_PATH/pop3.rules
    include $RULE_PATH/nntp.rules
    include $RULE_PATH/other-ids.rules
    include $RULE_PATH/web-attacks.rules
    include $RULE_PATH/backdoor.rules
    include $RULE_PATH/shellcode.rules
    # include $RULE_PATH/policy.rules
    # include $RULE_PATH/porn.rules
    # include $RULE_PATH/info.rules
    # include $RULE_PATH/icmp-info.rules
    # include $RULE_PATH/virus.rules
    # include $RULE_PATH/chat.rules
    # include $RULE_PATH/multimedia.rules
    # include $RULE_PATH/p2p.rules
    include $RULE_PATH/experimental.rules

    6. create a snort user to run the process. and create your log directory

    [root]# adduser snort
    [root]# mkdir /var/log/snort
    [root]# chown snort:snort /var/log/snort

    7. Start up snort. I just create a script to start up snort with the following command.

    #!/bin/sh
    /usr/local/bin/snort -A fast -d -u snort -g snort -D -c /etc/snort/snort.conf
    Your alerts will be logged to /var/log/snort/alert.

    I have a snort log parser written in perl that will parse the snort alerts and show today’s alerts in an easy to read format. Example log
    04/06 08:06:57 TCP 24.163.219.104:80 → 67.173.96.51:2763 ATTACK-RESPONSES 403 Forbidden 1201
    04/06 08:07:53 TCP 24.163.219.104:80 → 211.40.66.207:2676 ATTACK-RESPONSES 403 Forbidden 1201
    04/06 08:13:51 TCP 24.163.219.104:80 → 211.40.211.115:2604 ATTACK-RESPONSES 403 Forbidden 1201
    download log parse script here
    If you use shorewall firewall script you can download my program SnortShorewall to proactively prevent hackers from compromising your machine. SnortShorewall will run in the background and monitor your alerts from snort and black list the ip address that attempt to hack your system. Read more about SnortShorwall here

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.