DIY IDS

| August 11, 2007

ossec_logo.jpgThe best offense is a good defense.  This is a very famous phrase most often attributed to football, but it can be applied to many areas of life especially information security.  Diligent patching is a must, but even when done religiously (in conjunction with faithful anti-virus updates), vulnerabilities still exist.  There has never been more of a need for an Intrusion Detection System (IDS) than right now.  Attackers are more skilled and the tools they use more elaborate. We simply can't be everywhere at once and need IDS to be the eyes in the back of our head.

There are many great products out there, but as an introduction to IDS, I wanted to focus on OSSEC-HIDS. OSSEC-HIDS is a great application to get your feet wet and open up the more advanced concepts of intrusion detection.  OSSEC agents will run on virtually all OSes including Solaris, OS X, Linux and Windows (2000 and XP).  The server itself is Linux based.  The configuration is fairly straightforward as outlined below.  This is a very basic introduction and should be considered a jumping off point.

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:RichM}


Installation

It is highly recommended that you build the IDS server in a virtual machine.  There are many reasons a Virtual Machine Environment (VME) is advantageous; especially if your organization is short on spare machines. Also, by running OSSEC in a VME it gives you the option of saving that image and uploading it to a different server, once you have it configured the way you want it.

OSSEC Install

This install assumes that you already have a linux box configured and are ready to install OSSEC. If not, don't panic. I've added a little section on installing a basic Linux distro below (Business Card Debian). But if you're ready, let's get to it:

1.     Download the latest copy ossec
     (wget http://www.ossec.net/files/ossec-hids-1.2.tar.gz)
2.     Install gcc
     (apt-get install gcc)
3.     Install make
     (apt-get install make)
4.     Un-tar the ossec file
     (tar -zxvf ossec-hids-1.2.tar.gz)
5.     Change into the OSSEC directory
     (cd ossec-hids-1.2)
6.     Compile the program
     (./install.sh)
7.     Select type 
     (Choose server)
8.     Location of logs
     (Choose default /var/ossec/etc/ossec.conf)
9.     Email notification
(yes is recommended, otherwise you are handicapping OSSEC's usefulness)
10.   Enter email address
(Choose a primary email addy so that you know immediately when an issue arises)
11.   smtp server
12.   integrity check deamon

(Creates database of all system files and related integrity info. then periodically scans to see if any changes to these file were made)

13.   rootkit detection engine
(Using anomaly detection OSSEC attempts to identify both known and unknown rootkits)
14.   active response

(allows you to run commands when you are notified a certain event is occurring, it is not recommended this function is activated in a production environment until it is thoroughly tested)

15.   firewall drop response (no is the recommended setting, packets shouldn't never be dropped without an admin explicitly testing the rule(s) to ensure that good packets are not lost)

16.   add more ips to whitelist
17.   enable remote syslog (port 514 udp)
18.   Start OSSEC
        (/var/ossec/bin/ossec-control start)

Changes can always be made to the ossec.conf file

(<wherever you untarred the install file ex. /root> /oosec-hids-1.2/etc/ossec.conf)

Basic Linux Install

If you are not familiar with Linux, below is a quick how-to that should get you up and running. This particular install will not have a GUI, as it is not necessary for linux servers. Not having a GUI is actually safer, since there are less lines of vulnerable code to be exploited.

1. Use a business card image (faster to d/l and can be placed on a usb drive for ultimate portability)

Ex. i386 processor http://cdimage.debian.org/debian-cd/4.0_r0/i386/iso-cd/debian-40r0-i386-businesscard.iso

2. Choose your language, and other regional choices

3. Name your machine (you can always re-name it later)

4. Enter your domain name

5. Choose your mirror location

6. Choose your mirror (be aware that some organizations block ftp access)

7. Partition the hard drive

8. Select your time zone

9. Choose your software (unselect any chooses, and install a minimal install)

10. Configure eth0 (example below is for a static ip)

a. First line: iface eth0 inet static

b. Second line: (tab) address <enter ip address for this host>

c. Third line: (tab) netmask <enter subnet mask>

d. Fourth line: (tab) broadcast <enter broadcast ip>

e. Fifth line: (tab) gateway <enter gateway>

*All information after the ":" must be entered
**The tab keeps everything looking clean

When finished save the file, and type /etc/init.d/networking restart or reboot

11. Get the latest updates (for debian apt-get update, then apt-get upgrade)

12. Verify that you are running the latest stable kernel.

a. /boot – 200 mb ext3 (bootable flag: on)

b. / – 4 gb ext3

c. /swap – 512 mb

d. /tmp – 128 mb

e. /home – remainder of the hard drive

Example of manually partitioned hard drive:

1.jpg

Well there you have, a quick and dirty IDS ready to go. As mentioned above, this article is simply meant as a jumping off point into the world of Intrusion Detection. This was clearly not intended to be a defintive work on how to get it up and running. That, my friends, is up to you… or maybe this begs for a sequel?

Editor's Note: OSSEC released v1.3 on August 8, 2007.

Additional Resources:

OSSEC Documentation

VMware Server (Free)

Insecure.org's Top 5 IDSs

SANS Intrusion Detection FAQ

"Intrusion Detection: Knowing when someone is knocking on your door" - An old article by EH-Net friend and ChicagoCon Keynoter, Lance Spitzner.

Category: RichM

Comments are closed.