An IDS is an Intrusion Detection System. It's a program that sits on your system (or network) and monitors traffic in and out of your machine analyzing it for attacks. Usually, an IDS has some sort of a rule-base for fingerprinting attacks (sort of like how SpamAssassin had a rule-base for fingerprinting SPAM).
Under UNIX systems, you have a vast array of IDSes to choose from, each with its strengths and weaknesses. We will not examine all of them here, however, you can get a good overview of them from the following sources:
Snort is a software-based real-time network intrusion detection system developed by Martin Roesch that can be used to notify an administrator of a potential intrusion attempt. The ever-increasing amount of Internet crackers, armed with "ready-to-run" exploits, as well as the sophisticated attacker that's intent on defacing your web page necessitates the use of a method to track their activity and alert you to this.
A Network Intrusion Detection System (NIDS) is a system that is responsible for detecting anamolous, inappropriate, or other data that may be considered unauthorized occuring on a network. Unlike a firewall, which is configured to allow or deny access to a particular service or host based on a set of rules. If the traffic matches an acceptible pattern, it is permitted regardless of what the packet contains. However, an NIDS captures and inspects all traffic, regardless of whether it's permitted or not. Based on the contents, at either the IP or application level, an alert is generated.
Snort is a "lightweight" NIDS in that it is non-intrusive, easily configured, utilizes familiar methods for rule development, and takes only a few minutes to install. Snort currently includes the ability to detect more than 1100 potential vulnerabilities. Keep in mind that Intrusion Detection devices work in conjunction with other security measures, and are not a replacement for other good security practices.
It is also quite feature-packed right out of the box. Among its features include the ability to:
Detect and alert based on pattern matching for threats including buffer overflows, stealth port scans, CGI attacks, SMB probes and NetBIOS? queries, NMAP and other portscanners, well-known backdoors and system vulnerabilities, DDoS? clients, and many more;
Use syslog, SMB "WinPopUp?" messages, or a file to alert an administrator;
Develop new rules quickly once the pattern (attack signature) is known for the vulnerability;
Record packets in their human-readable form from the offending IP address in a hierarchial directory structure.
Used as a "passive trap" to record the presence of traffic that should not be found on a network, such as NFS or Napster connections;
Used on an existing workstation to monitor a home DSL connection, or on a dedicated server to monitor a corporate web site
Snort uses the popular libpcap library, the same library that tcpdump uses to perform its packet sniffing. Snort decodes all the packets passing by on the network to which it's attached by entering promiscous mode. Based upon the content of the individual packets and the rules defined in the configuration file, an alert is generated.
Before Installing Snort
There are a few things you should determine before you install snort.
Do you have approval to run an intrusion detection device by your organization?
Is the system you're installing snort on secure? The last thing you want is the feeling of that false sense of security that you get by looking at what you think is happening but really has been modified by an intruder. The use of OpenSSH? is mandatory for remote access. Reading the Solaris Security FAQ and the Linux Security HOWTO should provide you with a starting point.
Where are you going to put it? If you are simply trying to find out who is port scanning or attempting to attack your home system, it's an easy decision. However, placement in an organization may be more difficult.
Is the date and time correct? Ensure the time and date are correct on the host that snort will be running on. Install the xntpd time server so you can be sure the time of the events you are recording is correct. Chances are it is included with or already installed on your system but may still need to be configured. Once you have found a suitable timeserver from the URL provided above, a root crontab entry such as the following should suffice:
