August 24, 2009 at 2:49 pm #41876
Is it possible to install an IDS (Intrusion Detection System) onto/into Zeroshell?
I am looking forward to having this one Box be truly the Security Center for my Network.August 25, 2009 at 5:57 pm #48674
Probably Snort will be released as external package.
FulvioSeptember 4, 2009 at 4:55 pm #48675
I know nothing about compiling but I found this online.
Is there special compiling needed to install SNORT/IDS onto ZeroShell or can I simply follow the instructions listed here?
Install Snort on Linux
1. Download the latest source from Snorts Web Site
2. Unzip and Untar the source file. This will unpack the tar file to a snort directory
[root]# tar -zxvf snort.tar
3. Compile the source
[root]# cd snort-
root]# make install
[root]# make clean
This will install snort /usr/local/bin/snort by default
4. Create the configuration directory and copy the configuration files over. This assumes you are in the snort directory
[root]# mkdir /etc/snort
[root]# cp -rf etc/* /etc/snort
[root]# cp -rf rules/* /etc/snort
5. Customize your snort.conf to meet your needs. This is a configuration I have found to be useful
[root]# cd /etc/snort
[root]# vi snort.conf
– Change your rule path RULE_PATH /etc/snort
var RULE_PATH /etc/snort
– Uncomment the following line ( this will cause snort to use much less resident memory ) config detection: search-method lowmem
– Make sure the flow preprocessor is NOT commented out preprocessor flow: stats_interval 0 hash 2
– Uncomment the flow-portscan if you want to detect port scans (change server- watchnet for your network) preprocessor flow-portscan:
unique-memcap 5000000 unique-rows 50000
– Comment out / Uncomment the rules files you want. This is my file
# include $RULE_PATH/policy.rules
# include $RULE_PATH/porn.rules
# include $RULE_PATH/info.rules
# include $RULE_PATH/icmp-info.rules
# include $RULE_PATH/virus.rules
# include $RULE_PATH/chat.rules
# include $RULE_PATH/multimedia.rules
# include $RULE_PATH/p2p.rules
6. create a snort user to run the process. and create your log directory
[root]# adduser snort
[root]# mkdir /var/log/snort
[root]# chown snort:snort /var/log/snort
7. Start up snort. I just create a script to start up snort with the following command.
/usr/local/bin/snort -A fast -d -u snort -g snort -D -c /etc/snort/snort.conf
Your alerts will be logged to /var/log/snort/alert.
I have a snort log parser written in perl that will parse the snort alerts and show today’s alerts in an easy to read format. Example log
04/06 08:06:57 TCP 188.8.131.52:80 → 184.108.40.206:2763 ATTACK-RESPONSES 403 Forbidden 1201
04/06 08:07:53 TCP 220.127.116.11:80 → 18.104.22.168:2676 ATTACK-RESPONSES 403 Forbidden 1201
04/06 08:13:51 TCP 22.214.171.124:80 → 126.96.36.199:2604 ATTACK-RESPONSES 403 Forbidden 1201
download log parse script here
If you use shorewall firewall script you can download my program SnortShorewall to proactively prevent hackers from compromising your machine. SnortShorewall will run in the background and monitor your alerts from snort and black list the ip address that attempt to hack your system. Read more about SnortShorwall here
You must be logged in to reply to this topic.