Network-based intrusion-detection systems (IDS) are an integral component of a layered IT security strategy. As October is National Cyber Awareness Month, if your overall security system doesn't include network-based intrusion detection, now is an excellent time to consider implementing an IDS package.
Commercial network-based IDS can often be quite expensive. On the other hand, there is the common perception that implementing an open-source IDS is complicated. Recently, I had the opportunity to install an open-source IDS and found the opposite to be true. You can easily build a powerful open source-based IDS in less than a day, as I did.
The object of this article isn't to provide a step-by-step instruction for installing and managing an open-source IDS, because there are plenty of resources available for that. Rather, it's intended to lay the foundation for such. If you have ever considered implementing an open-source IDS but felt lost when researching how to do so, this article is for you.
Snort and BASE
Two packages necessary for creating an effective open-source database are Snort and BASE (Basic Analysis Security Engine). Snort was originally created in 1998 by Martin Roesch as an open-source alternative to commercial IDS packages. BASE is built on the work of the defunct Analysis Console for Intrusion Databases (ACID) project.
As with many open-source applications, Snort is available as source code or as a binary install package for Linux or Windows. BASE, on the other hand, is operating system-independent. Therefore, both may be set up on either a Linux or Windows machine, with a similar amount of effort.
The goal of this article is to demonstrate the ease in creating an IDS using older computers and therefore focuses on building a Snort IDS on a Linux system, but the methods for installing on a Windows system are very similar. Because of how far Linux distributions have progressed, if you have installed Windows, you can install Snort on Linux with little difficulty.
Preparing the system
Deciding on placement of the IDS within the network is critical. The IDS machine must connect to a port that can see all traffic between the LAN and the Internet. This means either connecting to a mirrored switch port or a hub located between the Internet connection and the LAN. If a firewall and only one IDS sensor is used, the sensor should be placed between the firewall and the LAN, for reasons that will be discussed later.
Choosing the type of machine to use is dependent on the environment and the data desired. A Snort IDS set-up can involve one or several independent machines, or many that report to a central database server. The faster the connection being monitored and the level of logging dictate the machine capabilities.
For brevity, this article focuses on installing a single stand-alone IDS at the network edge. For a Linux install, a desktop computer that is several years old should suffice. Figure on a minimum of 256MB of RAM, a 20GB hard drive, a 600-MHz processor and a CD drive, all features of desktop machines made within the past few years.
For installing a base Linux operating system, a machine to create the installation CD is needed. A Windows box running Burn4Free (a freeware ISO burner) will work fine. In addition, the network parameters (IP address and such) and a network connection for the IDS machine should be determined prior to the Linux installation.
Download the Fedora 7 Live ISO image or a Linux distribution of choice. Fedora 7 Live is a minimal installation of the Fedora Linux distribution that can run on a single CD, and the following instructions focus on Fedora Live 7, but they can be easily adjusted for other distributions if desired. Burn the ISO image to a CD on the Windows machine.
On the IDS machine, install the CD and set the BIOS to boot off the CD (just like a Windows install). The machine will automatically run the Fedora 7 Live distribution with no user interaction. Let it run until it has automatically logged in to the graphical user interface with the default account.
Click on the Install to Hard Drive icon. Answer the questions as they appear; most are similar to what is presented in a Windows installation. When done, remove the CD and reboot the machine. The machine is now ready for installation of the software needed to run and administer the IDS.
The needed applications
Snort essentially works on pattern matching by comparing packets to signatures of known attacks. There are literally thousands of such signatures available. Think of Snort as an intelligent sniffer: It takes a continuous trace of inbound and outbound Internet traffic and analyses the trace by comparing against the signature database in real time. To do this manually would be impossible.
If a packet matches a pattern in a selected signature, an alert is generated. Analysing the alerts for meaningful data is no easy task, given the amount of data and its raw format presentation. Therefore, a method is needed to collect and provide for group analysis of the data.
This example uses MySQL as the database application, but Microsoft SQL Server or Oracle may be used for the alert database as well. While populating a well-formatted database with Snort information is necessary for categorising information, as with sniffer analysis, the process of analysing such a database is labour-intensive.
This is where BASE comes into play. It's a Web front end to the database that presents the Snort alert data. This provides the information a network or security administrator needs to identify threats and enact controls to reduce the threats.
Other support applications needed include the Apache Web server, the GCC compiler and the PHP HTML scripting language. An excellent guide for installation of a Snort/BASE IDS system and all related applications written by Patrick Harper and Nick Oliver is available at Internet Security Guru.com. Other documentation and user forums are available at the main Snort Web site.
Administering the IDS
After a successful installation, pointing a Web browser to the IDS will produce a summary alert window. From here, intrusion-detection data may be analysed efficiently. BASE offers many data aggregation and presentation tools.
Each alert can be analysed individually or as a group. In the above example, the majority of the alerts generated constituted false positives because the alerts were on regular traffic that may have had abnormal but perfectly harmless characteristics. For example, one such alert (Figure 3) was generated when a valid remote desktop session ended abruptly, possibly by a user not closing the remote desktop application correctly.
I previously noted that the IDS sensor should always be placed between the firewall and the LAN. Suppose the alert was indicative of a valid attack. The firewall could then be configured to deny all traffic from that source address. No new alerts should be logged after the firewall configuration, thereby effectively eliminating the threat.
Building a functional IDS sensor is only the first step. Once installed, the IDS administrator should spend a significant amount of time exploring the alerts and capabilities of the system. One doesn't begin a major building project after setting up and operating a table saw for the first time, and such is the case with Snort/BASE.
As threats emerge, rules must be added to the system to match the signatures of those threats. Snort offers a subscription service for access to emerging rules for a minimal fee or free access to the same rules to registered users for 30 days after they are released to the subscription service. Oinkmaster is an excellent tool for updating rules regularly.
In addition, signatures may be created manually, or pass options may be added to signatures that are determined to produce an abundance of false positives. Determining if alerts are in fact normal network traffic or an actual threat is obviously necessary, as it would be foolish to disable a signature simply because it's producing many alerts. Other open-source tools such as MRTG, ntop and tcpdump, in conjunction with server and network equipment log analysis, can provide the data needed to streamline the IDS configuration
Snort can be deployed in a centrally managed distributed environment in which multiple sensors report back to a single database server. In large enterprise networks, this can be useful in correlating events as well as simply parsing information from multiple points on the network. It isn't uncommon to deploy Snort sensors at borders between security zones in a LAN, such as between administrative servers and local users.
A signature-based network IDS is simply a tool to enforce your company's security policy. Expecting that installing an IDS (or any single security solution, for that matter) will eliminate all threats is flirting with a false sense of security. However, delving into the world of open-source IDS is a path that can produce immediate and significant returns.
Greg Schaffer is a freelance writer based in Tennessee. He has over 15 years of experience in networking, primarily in higher education.