LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Snort IDS Setup and Configuration (http://www.linuxquestions.org/questions/linux-security-4/snort-ids-setup-and-configuration-4175458465/)

MrTuxor 04-17-2013 07:42 AM

Snort IDS Setup and Configuration
 
Hello fellow Linux users,

I have a question about setting up an IDS solution. I would like to go the opensource route utilizing a Linux based host operating systems (more than likely CentOS) running Snort. I have been searching the web for a tutorial however I have yet to find one that is all inclusive.

Based on the Snort website it seems as simple (I use that word loosely) as:
1.) installing a Linux distribution
2.) installing the five required programs (libpcap, PCRE, libdnet, barnyard2, and DAQ) for Snort to run effectively
3.) installing Snort
4.) downloading and installing the rules

A guide specifically for CentOS is provided on the Snort website via the following Link:
http://s3.amazonaws.com/snort-org/ww...5_CentOS6x.pdf

Does anyone have Snort based IDS experience that can provide some advice on how to move forward? Any suggestions? technical specifics or to additional resources.

Thanks in advance!

Tuxor

shizzles 04-17-2013 12:17 PM

I would say after the install, look at the alerts that are being generated and figure out if they are false positive or not. Biggest issue with most IPS/IDS is that the variables (i.e $HOME_NET, $EXTERNAL_NET. . . .etc) are never filled out properly causing false positive.

Also depends what you would like to do with the IDS, are trying to learn just how it functions or are planning on writing a IDS signatures in the future ? Regardless, I would start with that and look at what rules (actual rules itself) are being triggered and why, gives you a good foundation to start with.

unSpawn 04-20-2013 04:28 AM

Quote:

Originally Posted by shizzles (Post 4933353)
I would say after the install, look at the alerts that are being generated and figure out if they are false positive or not.

I would say after the install the first thing to do is to run Snort in test mode (the "-T" switch) as that's the easiest, quickest way to find out if it will run. Second thing would be to review snort.conf (you probably don't want it to run in promiscuous mode) and prune the rule sets and only keep those that relate to the OS, generic network problem indicators and the services your machine provides. And obviously running Snort / Barnyard2 means that reports getting generated should go to a human user who actually reads those reports and takes appropriate action. Snort may act as a valuable addition to your network security strategy but it does not equal host or network security.
So above all review your overall security strategy: ensure proper hardening takes place before doing anything else, remain aware always and act when reporting indicates you should do so.


All times are GMT -5. The time now is 03:27 PM.