You can easily setup a Debian dedicated box as an standalone Intrusion
Detection System using snort
.
Some guidelines:
ACID is currently packaged for Debian with the acidlab
, it
provides a graphical WWW interface to snort's output. It can be downloaded
from http://www.cert.org/kb/acid/
,
http://acidlab.sourceforge.net
or http://www.andrew.cmu.edu/~rdanyliw/snort/
.
You might want to read the Snort
Statistics HOWTO
.
You can setup this system with, at least, two interfaces: one interface connected to a management lan (to access the results and maintain he sytem), one interface with no ip-address attached to the network segment to analyse.
In order to configure the network cards without an ip-address you cannot use
the standard's Debian /etc/network/interfaces
since the
ifup
and ifdown
expect some more information there
than it is needed. You have to (simple ifconfig eth0 up)
You need, besides the standard Debian installation, Apache, MySQL and PHP4 for ACID to work. Downloaded packages (Note: versions might vary depending on which Debian distribution you are using, this are from Debian woody september 2001):
ACID-0.9.5b9.tar.gz adduser_3.39_all.deb apache-common_1.3.20-1_i386.deb apache_1.3.20-1_i386.deb debconf_0.9.77_all.deb dialog_0.9a-20010527-1_i386.deb fileutils_4.1-2_i386.deb klogd_1.4.1-2_i386.deb libbz2-1.0_1.0.1-10_i386.deb libc6_2.2.3-6_i386.deb libdb2_2.7.7-8_i386.deb libdbd-mysql-perl_1.2216-2_i386.deb libdbi-perl_1.18-1_i386.deb libexpat1_1.95.1-5_i386.deb libgdbmg1_1.7.3-27_i386.deb libmm11_1.1.3-4_i386.deb libmysqlclient10_3.23.39-3_i386.deb libncurses5_5.2.20010318-2_i386.deb libpcap0_0.6.2-1_i386.deb libpcre3_3.4-1_i386.deb libreadline4_4.2-3_i386.deb libstdc++2.10-glibc2.2_2.95.4-0.010703_i386.deb logrotate_3.5.4-2_i386.deb mime-support_3.11-1_all.deb mysql-client_3.23.39-3_i386.deb mysql-common_3.23.39-3.1_all.deb mysql-server_3.23.39-3_i386.deb perl-base_5.6.1-5_i386.deb perl-modules_5.6.1-5_all.deb perl_5.6.1-5_i386.deb php4-mysql_4.0.6-4_i386.deb php4_4.0.6-1_i386.deb php4_4.0.6-4_i386.deb snort_1.7-9_i386.deb sysklogd_1.4.1-2_i386.deb zlib1g_1.1.3-15_i386.deb
Installed packages (dpkg -l):
ii adduser 3.39 ii ae 962-26 ii apache 1.3.20-1 ii apache-common 1.3.20-1 ii apt 0.3.19 ii base-config 0.33.2 ii base-files 2.2.0 ii base-passwd 3.1.10 ii bash 2.03-6 ii bsdutils 2.10f-5.1 ii console-data 1999.08.29-11. ii console-tools 0.2.3-10.3 ii console-tools- 0.2.3-10.3 ii cron 3.0pl1-57.2 ii debconf 0.9.77 ii debianutils 1.13.3 ii dialog 0.9a-20010527- ii diff 2.7-21 ii dpkg 1.6.15 ii e2fsprogs 1.18-3.0 ii elvis-tiny 1.4-11 ii fbset 2.1-6 ii fdflush 1.0.1-5 ii fdutils 5.3-3 ii fileutils 4.1-2 ii findutils 4.1-40 ii ftp 0.10-3.1 ii gettext-base 0.10.35-13 ii grep 2.4.2-1 ii gzip 1.2.4-33 ii hostname 2.07 ii isapnptools 1.21-2 ii joe 2.8-15.2 ii klogd 1.4.1-2 ii ldso 1.9.11-9 ii libbz2-1.0 1.0.1-10 ii libc6 2.2.3-6 ii libdb2 2.7.7-8 ii libdbd-mysql-p 1.2216-2 ii libdbi-perl 1.18-1 ii libexpat1 1.95.1-5 ii libgdbmg1 1.7.3-27 ii libmm11 1.1.3-4 ii libmysqlclient 3.23.39-3 ii libncurses5 5.2.20010318-2 ii libnewt0 0.50-7 ii libpam-modules 0.72-9 ii libpam-runtime 0.72-9 ii libpam0g 0.72-9 ii libpcap0 0.6.2-1 ii libpcre3 3.4-1 ii libpopt0 1.4-1.1 ii libreadline4 4.2-3 ii libssl09 0.9.4-5 ii libstdc++2.10 2.95.2-13 ii libstdc++2.10- 2.95.4-0.01070 ii libwrap0 7.6-4 ii lilo 21.4.3-2 ii locales 2.1.3-18 ii login 19990827-20 ii makedev 2.3.1-46.2 ii mawk 1.3.3-5 ii mbr 1.1.2-1 ii mime-support 3.11-1 ii modutils 2.3.11-13.1 ii mount 2.10f-5.1 ii mysql-client 3.23.39-3 ii mysql-common 3.23.39-3.1 ii mysql-server 3.23.39-3 ii ncurses-base 5.0-6.0potato1 ii ncurses-bin 5.0-6.0potato1 ii netbase 3.18-4 ii passwd 19990827-20 ii pciutils 2.1.2-2 ii perl 5.6.1-5 ii perl-base 5.6.1-5 ii perl-modules 5.6.1-5 ii php4 4.0.6-4 ii php4-mysql 4.0.6-4 ii ppp 2.3.11-1.4 ii pppconfig 2.0.5 ii procps 2.0.6-5 ii psmisc 19-2 ii pump 0.7.3-2 ii sed 3.02-5 ii setserial 2.17-16 ii shellutils 2.0-7 ii slang1 1.3.9-1 ii snort 1.7-9 ii ssh 1.2.3-9.3 ii sysklogd 1.4.1-2 ii syslinux 1.48-2 ii sysvinit 2.78-4 ii tar 1.13.17-2 ii tasksel 1.0-10 ii tcpd 7.6-4 ii telnet 0.16-4potato.1 ii textutils 2.0-2 ii update 2.11-1 ii util-linux 2.10f-5.1 ii zlib1g 1.1.3-15
Securing Debian Manual
v2.2 27 april 2002Tue, 23 Apr 2002 20:56:15 +0200jfs@computer.org