Snort IDS Setup and Configuration
Hello fellow Linux users,
I have a question about setting up an IDS solution. I would like to go the opensource route utilizing a Linux based host operating systems (more than likely CentOS) running Snort. I have been searching the web for a tutorial however I have yet to find one that is all inclusive.
Based on the Snort website it seems as simple (I use that word loosely) as:
1.) installing a Linux distribution
2.) installing the five required programs (libpcap, PCRE, libdnet, barnyard2, and DAQ) for Snort to run effectively
3.) installing Snort
4.) downloading and installing the rules
A guide specifically for CentOS is provided on the Snort website via the following Link:
Does anyone have Snort based IDS experience that can provide some advice on how to move forward? Any suggestions? – technical specifics or to additional resources.
Thanks in advance!
I would say after the install, look at the alerts that are being generated and figure out if they are false positive or not. Biggest issue with most IPS/IDS is that the variables (i.e $HOME_NET, $EXTERNAL_NET. . . .etc) are never filled out properly causing false positive.
Also depends what you would like to do with the IDS, are trying to learn just how it functions or are planning on writing a IDS signatures in the future ? Regardless, I would start with that and look at what rules (actual rules itself) are being triggered and why, gives you a good foundation to start with.
So above all review your overall security strategy: ensure proper hardening takes place before doing anything else, remain aware always and act when reporting indicates you should do so.
|All times are GMT -5. The time now is 10:15 AM.|