Host-based intrusion detection using psad

hi,

WHY building a HIDS?
-well, if you have a persistent BT4 installation and using it for your daily (pentest) work, you should well-protect your laptop and especially you should know who is watching you ;-)

background: psad - Intrusion Detection with iptables, iptables Log Analysis, iptables Policy Analysis "psad is a collection of three lightweight system daemons (two main daemons and one helper daemon) that run on Linux machines and analyze iptables log messages to detect port scans and other suspicious traffic"


1. install fwsnort perl dependencies

Code:

---

sudo perl -MCPAN -e 'install HTML::Template'
        sudo perl -MCPAN -e 'install Net::IPv4Addr'

---

Note: if this is your first time running MCPAN, you should propably update
CPAN bundle first! (sudo perl -MCPAN -e 'install CPAN')

2. install fwsnort (release 1.1)

Code:

---

cd /tmp && wget http://cipherdyne.org/fwsnort/download/fwsnort-1.1.tar.bz2
  tar xvf fwsnort-1.1.tar.bz2 && cd fwsnort-1.1
  sudo perl install.pl

---

Note: If asked to download latest snort sigs, type yes

2.1 modify fwsnort.conf

Code:

---

sudo sudo vi /etc/fwsnort/fwsnort.conf

---

and change line:
unameCmd /bin/uname;

3. install psad

Code:

---

sudo apt-get update && sudo apt-get install psad

---

Note: apt will also install necessary dependencies

3.1 configure psad

Code:

---

sudo vi /etc/psad/psad.conf

---

Note: adjust this settings to your requirements:
HOSTNAME _CHANGEME_;
HOME_NET NOT_USED; ### only one interface on my laptop!
ALERTING_METHODS noemail;

Don't touch the rest of default settings for your initial tests.


4. run bastille to create the necessary hardened environment (answers below
reflect NOT the most secured environment, but at least a good start!)

Code:

---

sudo bastille

---

Note: answer carefully all questions to your needs, especially in
the firewall section - this is needed because psad is based on iptables ;-)
You should have a proper firewall script anyway - highly recommended on
any auditors laptop !
Any changes can easiely adjusted through the bastille config file
/etc/Bastille/bastille-firewall.cfg


5. restart syslogd, start iptables & psad

Code:

---

sudo /etc/init.d/sysklogd restart & sudo /etc/init.d/bastille-firewall && sudo /etc/init.d/psad start

---

Note: It is also good, to update on a regular base the psad signatures
- manual like sudo psad --sig-update or via crontab.

default psad log directory: cd /var/log/psad/

To see latest port scan activities, just execute:

Code:

---

sudo psad -S

---

Note: for any detected ip address there will be a separate directory
with a lot of useful details (/var/log/psad/{attackers ip})


Special Note:
If you wanna create some visualization like that one you see at cipherdyne.org,
execute following steps:

install afterglow:

Code:

---

cd /opt/{your install dir} && wget http://downloads.sourceforge.net/project/afterglow/AfterGlow%201.x/1.5.9/afterglow-1.5.9.tar.gz?use_mirror=freefr
        tar xvf afterglow-1.5.9.tar.gz && cd afterglow/src/perl

---

now run the iptables log export and redirect stdout to afterglow magic:

Code:

---

psad --CSV --CSV-fields "src dst dp" --CSV-max 1000 \
        -m /var/log/kern.log \
        |perl graph/afterglow.pl parsers/color.properties \
        |neato -Tgif -o iptables_graph.gif

        /opt/kde3/bin/kview iptables_graph.gif

---

Note: adjust the color.properties file for your environment!
more examples: Honeynet Scan30 challenge visualization

Happy packet-watching!

/brtw2003

Quote:

---

Originally Posted by brtw2003

-well, if you have a persistent BT4 installation and using it for your daily (pentest) work, you should well-protect your laptop and especially you should know who is watiching you ;-)

---

Could not agree more with you brtw2003 Thanks for writing this up and posting it very useful.:cool: Let me know does setting this up affect your pen testing or the performance of your machine in any way?

Quote:

---

Originally Posted by chap0

Could not agree more with you brtw2003 Thanks for writing this up and posting it very useful.:cool: Let me know does setting this up affect your pen testing or the performance of your machine in any way?

---

hi.

not really, because psad daemon is just using the iptables log feature + fifo to redirect logs for realtime parsing.
Of course it can have an effect if you are targeted for some kind of DDoS attacks and your iptables/fifo is flooded
with log entries ;-)


I also don't use automated blocking of src ip's nor email alerting..

/brtw2003

how do i save the edited scripts like
HOSTNAME _CHANGEME_;
HOME_NET NOT_USED; ### only one interface on my laptop!
ALERTING_METHODS noemail;


thanks