[ previous ] [ Contents ] [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ A ] [ B ] [ C ] [ D ] [ E ] [ F ] [ next ]

Securing Debian Manual
Appendix C - Setting up a stand alone IDS


You can easily setup a Debian dedicated box as an standalone Intrusion Detection System using snort.

Some guidelines:

ACID is currently packaged for Debian with the acidlab, it provides a graphical WWW interface to snort's output. It can be downloaded from http://www.cert.org/kb/acid/, http://acidlab.sourceforge.net or http://www.andrew.cmu.edu/~rdanyliw/snort/. You might want to read the Snort Statistics HOWTO.

You can setup this system with, at least, two interfaces: one interface connected to a management lan (to access the results and maintain he sytem), one interface with no ip-address attached to the network segment to analyse.

In order to configure the network cards without an ip-address you cannot use the standard's Debian /etc/network/interfaces since the ifup and ifdown expect some more information there than it is needed. You have to (simple ifconfig eth0 up)

You need, besides the standard Debian installation, Apache, MySQL and PHP4 for ACID to work. Downloaded packages (Note: versions might vary depending on which Debian distribution you are using, this are from Debian woody september 2001):

     ACID-0.9.5b9.tar.gz
     adduser_3.39_all.deb
     apache-common_1.3.20-1_i386.deb
     apache_1.3.20-1_i386.deb
     debconf_0.9.77_all.deb
     dialog_0.9a-20010527-1_i386.deb
     fileutils_4.1-2_i386.deb
     klogd_1.4.1-2_i386.deb
     libbz2-1.0_1.0.1-10_i386.deb
     libc6_2.2.3-6_i386.deb
     libdb2_2.7.7-8_i386.deb
     libdbd-mysql-perl_1.2216-2_i386.deb
     libdbi-perl_1.18-1_i386.deb
     libexpat1_1.95.1-5_i386.deb
     libgdbmg1_1.7.3-27_i386.deb
     libmm11_1.1.3-4_i386.deb
     libmysqlclient10_3.23.39-3_i386.deb
     libncurses5_5.2.20010318-2_i386.deb
     libpcap0_0.6.2-1_i386.deb
     libpcre3_3.4-1_i386.deb
     libreadline4_4.2-3_i386.deb 
     libstdc++2.10-glibc2.2_2.95.4-0.010703_i386.deb
     logrotate_3.5.4-2_i386.deb
     mime-support_3.11-1_all.deb
     mysql-client_3.23.39-3_i386.deb
     mysql-common_3.23.39-3.1_all.deb
     mysql-server_3.23.39-3_i386.deb
     perl-base_5.6.1-5_i386.deb
     perl-modules_5.6.1-5_all.deb
     perl_5.6.1-5_i386.deb
     php4-mysql_4.0.6-4_i386.deb
     php4_4.0.6-1_i386.deb
     php4_4.0.6-4_i386.deb
     snort_1.7-9_i386.deb
     sysklogd_1.4.1-2_i386.deb
     zlib1g_1.1.3-15_i386.deb

Installed packages (dpkg -l):

     ii  adduser        3.39
     ii  ae             962-26
     ii  apache         1.3.20-1
     ii  apache-common  1.3.20-1
     ii  apt            0.3.19
     ii  base-config    0.33.2
     ii  base-files     2.2.0
     ii  base-passwd    3.1.10
     ii  bash           2.03-6
     ii  bsdutils       2.10f-5.1
     ii  console-data   1999.08.29-11.
     ii  console-tools  0.2.3-10.3
     ii  console-tools- 0.2.3-10.3
     ii  cron           3.0pl1-57.2
     ii  debconf        0.9.77
     ii  debianutils    1.13.3
     ii  dialog         0.9a-20010527-
     ii  diff           2.7-21
     ii  dpkg           1.6.15
     ii  e2fsprogs      1.18-3.0
     ii  elvis-tiny     1.4-11
     ii  fbset          2.1-6
     ii  fdflush        1.0.1-5
     ii  fdutils        5.3-3   
     ii  fileutils      4.1-2   
     ii  findutils      4.1-40
     ii  ftp            0.10-3.1
     ii  gettext-base   0.10.35-13
     ii  grep           2.4.2-1
     ii  gzip           1.2.4-33
     ii  hostname       2.07
     ii  isapnptools    1.21-2
     ii  joe            2.8-15.2  
     ii  klogd          1.4.1-2   
     ii  ldso           1.9.11-9   
     ii  libbz2-1.0     1.0.1-10
     ii  libc6          2.2.3-6
     ii  libdb2         2.7.7-8
     ii  libdbd-mysql-p 1.2216-2
     ii  libdbi-perl    1.18-1
     ii  libexpat1      1.95.1-5
     ii  libgdbmg1      1.7.3-27
     ii  libmm11        1.1.3-4
     ii  libmysqlclient 3.23.39-3
     ii  libncurses5    5.2.20010318-2
     ii  libnewt0       0.50-7  
     ii  libpam-modules 0.72-9
     ii  libpam-runtime 0.72-9  
     ii  libpam0g       0.72-9
     ii  libpcap0       0.6.2-1
     ii  libpcre3       3.4-1   
     ii  libpopt0       1.4-1.1
     ii  libreadline4   4.2-3 
     ii  libssl09       0.9.4-5   
     ii  libstdc++2.10  2.95.2-13 
     ii  libstdc++2.10- 2.95.4-0.01070
     ii  libwrap0       7.6-4   
     ii  lilo           21.4.3-2
     ii  locales        2.1.3-18
     ii  login          19990827-20
     ii  makedev        2.3.1-46.2
     ii  mawk           1.3.3-5
     ii  mbr            1.1.2-1 
     ii  mime-support   3.11-1 
     ii  modutils       2.3.11-13.1
     ii  mount          2.10f-5.1
     ii  mysql-client   3.23.39-3
     ii  mysql-common   3.23.39-3.1
     ii  mysql-server   3.23.39-3
     ii  ncurses-base   5.0-6.0potato1
     ii  ncurses-bin    5.0-6.0potato1
     ii  netbase        3.18-4  
     ii  passwd         19990827-20
     ii  pciutils       2.1.2-2
     ii  perl           5.6.1-5   
     ii  perl-base      5.6.1-5   
     ii  perl-modules   5.6.1-5
     ii  php4           4.0.6-4   
     ii  php4-mysql     4.0.6-4 
     ii  ppp            2.3.11-1.4
     ii  pppconfig      2.0.5
     ii  procps         2.0.6-5   
     ii  psmisc         19-2   
     ii  pump           0.7.3-2 
     ii  sed            3.02-5 
     ii  setserial      2.17-16
     ii  shellutils     2.0-7
     ii  slang1         1.3.9-1  
     ii  snort          1.7-9
     ii  ssh            1.2.3-9.3
     ii  sysklogd       1.4.1-2
     ii  syslinux       1.48-2
     ii  sysvinit       2.78-4  
     ii  tar            1.13.17-2  
     ii  tasksel        1.0-10 
     ii  tcpd           7.6-4     
     ii  telnet         0.16-4potato.1
     ii  textutils      2.0-2  
     ii  update         2.11-1    
     ii  util-linux     2.10f-5.1
     ii  zlib1g         1.1.3-15

[ previous ] [ Contents ] [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ A ] [ B ] [ C ] [ D ] [ E ] [ F ] [ next ]

Securing Debian Manual

2.5 (beta) 29 augusti 2002Sat, 17 Aug 2002 12:23:36 +0200
Javier Fernández-Sanguino Peña jfs@computer.org