Create an IDS on the Cheap

Having an Intrusion Detection System isn’t optional for network admins that are audited. An IDS is also very handy to have as it shows you everything that is going on. You don’t have to spend a lot of money on this, especially since most of the best tools are free. In my case, I wanted: network intrusion detection, network inventorying, and security scanning. I spent a lot of time messing around with separate packages for getting the functionality I wanted, but it was a pain to manage them all separately. I finally found an all-in-one system which met all of my requirements. OSSIM provides snort, nagios, ntop, and nessus (and various other security tools); this met all of my needs. It comes in the form of an installable debian linux image. Get it here.

I used an old PC as my server, adding an additional nic. When installing, I had to boot with –aspi=off since the power management settings on the board weren’t detected properly. After getting over that hurdle, I simply entered options applicable for my environment via the wizard that is provided. After the installation finished, I had to spend some time configuring. I made this guide piecing together info from various sources.

Update your linux patch level

Nothing fancy here. Its debian, so use apt to install patches

  1. ssh into the OSSIM server as the admin user
    #ssh root@192.168.1.3
  2. Update the package list, install patches, and reboot
    #apt-get update
    #apt-get upgrade
    #reboot 
        

Configure Network Interfaces

The LAN that needs monitored is 192.168.1.0/24. Simply change the LAN address to suite your network. The OSSIM server has two nics: one with an IP address (192.168.1.3) used for management and another operating in promiscuous mode (0.0.0.0) for sniffing. Configure a port on the main backbone switch, a gigabit smart switch which all of my servers and internet connection sit on, to be a spanning  or mirroring port of all other ports. This means that the port would receive a mirror of all traffic on all other ports; this is what the promiscuous nic is plugged into. The management interface (192.168.1.3) is plugged into a separate switch that is chained to my backbone switch. Change the OSSIM network configuration to reflect this setup.

  1. Edit the interfaces configuration using your favorite linux text editor; I like nano
    #nano /etc/network/interfaces
  2. Set the /etc/network/interfaces file to be the following, you would need to replace addresses with ones applicable for your network.
    auto lo eth0 eth1
    iface lo inet loopback
     
    # The primary network interface
    # Used for web management
    iface eth0 inet static
            address 192.168.1.3
            netmask 255.255.255.0
            network 192.168.1.0
            broadcast 192.168.1.255
            gateway 192.168.1.1
            # dns-* options
            dns-nameservers 192.168.1.8
          
     
    #eth1  is for monitoring the LAN A network
    # no ip address, promiscuous mode
    iface eth1 inet manual
            up ifconfig $IFACE 0.0.0.0 up
            up ifconfig $IFACE promisc
            down ifconfig $IFACE down
  3. Save and close the file. Restart the network interfaces
    #/etc/init.d/networking restart 
  4. Configure ntop to use the promiscuous nic
    #dpkg-reconfigure ntop 
  5. Configure snort to use the proper interface
    #nano /etc/snort/snort.debian.conf

    Set the /etc/snort/snort.debian.conf to be the following:

    DEBIAN_SNORT_HOME_NET="192.168.1.0/24"
    DEBIAN_SNORT_INTERFACE="eth1"
    DEBIAN_SNORT_OPTIONS=""
    DEBIAN_SNORT_SEND_STATS="true"
    DEBIAN_SNORT_STARTUP="boot"
    DEBIAN_SNORT_STATS_RCPT="root"
    DEBIAN_SNORT_STATS_THRESHOLD="1"
        

     

Install Oinkmaster and Update Snort Rules

Oinkmaster is a program used to update snorts detection rules. You will need to go to snort.org and sign up to receive an oink key; this lets your download rules.

  1. Install Oinkmaster
    #apt-get install oinkmaster
  2. Edit Oinkmaster Configuration File
    #nano /etc/oinkmaster.conf 
  3. Add Rule URLS to Oinkmaster Configuration File
    url = http://www.snort.org/pub-bin/oinkmaster.cgi/<your oink code>/
    snortrules-snapshot-2.7.tar.gz
    url = http://www.snort.org/pub-bin/oinkmaster.cgi/<your oink code>/
    Community-Rules-CURRENT.tar.gz
  4. Dowload and Install Rules
    #oinkmaster -C /etc/oinkmaster.conf -o /etc/snort/rules
    #perl /usr/share/ossim/scripts/create_sidmap.pl /etc/snort/rules/

Fix RRD Graphs

Ossim includes RRD for graphing values, I noticed that a table used for this purpose was missing. Here is how to fix that.

  1. Go to your home folder and create a text file holding code for the missing table
    #cd ~
    #nano snort.event_stats.sql
  2. Paste the following into the newly created file
    CREATE TABLE `event_stats` (
    `timestamp` datetime NOT NULL,
    `sensors` int(10) unsigned NOT NULL,
    `sensors_total` int(10) unsigned NOT NULL,
    `uniq_events` int(10) unsigned NOT NULL,
    `categories` int(10) unsigned NOT NULL,
    `total_events` int(10) unsigned NOT NULL,
    `src_ips` int(10) unsigned NOT NULL,
    `dst_ips` int(10) unsigned NOT NULL,
    `uniq_ip_links` int(10) unsigned NOT NULL,
    `source_ports` int(10) unsigned NOT NULL,
    `dest_ports` int(10) unsigned NOT NULL,
    `source_ports_udp` int(10) unsigned NOT NULL,
    `source_ports_tcp` int(10) unsigned NOT NULL,
    `dest_ports_udp` int(10) unsigned NOT NULL,
    `dest_ports_tcp` int(10) unsigned NOT NULL,
    `tcp_events` int(10) unsigned NOT NULL,
    `udp_events` int(10) unsigned NOT NULL,
    `icmp_events` int(10) unsigned NOT NULL,
    `portscan_events` int(10) unsigned NOT NULL,
    PRIMARY KEY (`timestamp`),
    KEY `sensors_idx` (`sensors`),
    KEY `sensors_total_idx` (`sensors_total`),
    KEY `uniq_events_idx` (`uniq_events`),
    KEY `categories_idx` (`categories`),
    KEY `total_events_idx` (`total_events`),
    KEY `src_ips_idx` (`src_ips`),
    KEY `dst_ips_idx` (`dst_ips`),
    KEY `uniq_ip_links_idx` (`uniq_ip_links`),
    KEY `source_ports_idx` (`source_ports`),
    KEY `dest_ports_idx` (`dest_ports`),
    KEY `source_ports_udp_idx` (`source_ports_udp`),
    KEY `source_ports_tcp_idx` (`source_ports_tcp`),
    KEY `dest_ports_udp_idx` (`dest_ports_udp`),
    KEY `dest_ports_tcp_idx` (`dest_ports_tcp`),
    KEY `tcp_events_idx` (`tcp_events`),
    KEY `udp_events_idx` (`udp_events`),
    KEY `icmp_events_idx` (`icmp_events`),
    KEY `portscan_events_idx` (`portscan_events`)
    ) ENGINE=MyISAM DEFAULT CHARSET=latin1;

    Save the file and run the following command to create the eventstats table in the snort database.

    #cat snort.event_stats.sql | mysql -p snort

Update Other Components

Some of the components that come with OSSIM are old, but you can easily update them by following instructions found in the OSSIM forums.

  1. Upgrade Nmap: see here.
  2. Upgrade Nessus: see here.
  3. Update Nessus rules using Alienvault’s free feed: see here.

It would be wise to reboot after installing all of the above. Afterwards, go to the web interface of your OSSIM server http://<ossim ip address>. You should see something like this:

Define your LAN(s) and run some nessus scans. Happy monitoring.

Cheers.