LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-17-2013, 07:42 AM   #1
MrTuxor
LQ Newbie
 
Registered: Apr 2013
Posts: 13

Rep: Reputation: Disabled
Snort IDS Setup and Configuration


Hello fellow Linux users,

I have a question about setting up an IDS solution. I would like to go the opensource route utilizing a Linux based host operating systems (more than likely CentOS) running Snort. I have been searching the web for a tutorial however I have yet to find one that is all inclusive.

Based on the Snort website it seems as simple (I use that word loosely) as:
1.) installing a Linux distribution
2.) installing the five required programs (libpcap, PCRE, libdnet, barnyard2, and DAQ) for Snort to run effectively
3.) installing Snort
4.) downloading and installing the rules

A guide specifically for CentOS is provided on the Snort website via the following Link:
http://s3.amazonaws.com/snort-org/ww...5_CentOS6x.pdf

Does anyone have Snort based IDS experience that can provide some advice on how to move forward? Any suggestions? technical specifics or to additional resources.

Thanks in advance!

Tuxor
 
Old 04-17-2013, 12:17 PM   #2
shizzles
LQ Newbie
 
Registered: Jun 2005
Location: Chicago
Distribution: Ubuntu Server & Debian 6
Posts: 23

Rep: Reputation: 1
I would say after the install, look at the alerts that are being generated and figure out if they are false positive or not. Biggest issue with most IPS/IDS is that the variables (i.e $HOME_NET, $EXTERNAL_NET. . . .etc) are never filled out properly causing false positive.

Also depends what you would like to do with the IDS, are trying to learn just how it functions or are planning on writing a IDS signatures in the future ? Regardless, I would start with that and look at what rules (actual rules itself) are being triggered and why, gives you a good foundation to start with.
 
Old 04-20-2013, 04:28 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,944
Blog Entries: 54

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
Quote:
Originally Posted by shizzles View Post
I would say after the install, look at the alerts that are being generated and figure out if they are false positive or not.
I would say after the install the first thing to do is to run Snort in test mode (the "-T" switch) as that's the easiest, quickest way to find out if it will run. Second thing would be to review snort.conf (you probably don't want it to run in promiscuous mode) and prune the rule sets and only keep those that relate to the OS, generic network problem indicators and the services your machine provides. And obviously running Snort / Barnyard2 means that reports getting generated should go to a human user who actually reads those reports and takes appropriate action. Snort may act as a valuable addition to your network security strategy but it does not equal host or network security.
So above all review your overall security strategy: ensure proper hardening takes place before doing anything else, remain aware always and act when reporting indicates you should do so.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[HELP]SNORT PROBLEMS(IDS)-service snort start JayCool Linux - Software 5 03-15-2009 12:34 PM
How to setup snort IDS saini_mw Linux - Security 2 05-15-2006 07:46 AM
developing an ids using snort chax Linux - Networking 1 01-10-2006 11:51 AM
Snort/ACID as an IDS WeNdeL Linux - Security 4 09-10-2004 12:14 PM
snort (ids) not working please help!!! crealkillerI75 Slackware 5 07-18-2002 03:39 PM


All times are GMT -5. The time now is 11:42 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration