hi,
WHY building a HIDS?
-well, if you have a persistent BT4 installation and using it for your daily (pentest) work, you should well-protect your laptop and especially you should know who is watching you ;-)
background: psad - Intrusion Detection with iptables, iptables Log Analysis, iptables Policy Analysis "psad is a collection of three lightweight system daemons (two main daemons and one helper daemon) that run on Linux machines and analyze iptables log messages to detect port scans and other suspicious traffic"
1. install fwsnort perl dependencies
Code:
sudo perl -MCPAN -e 'install HTML::Template'
sudo perl -MCPAN -e 'install Net::IPv4Addr'
Note: if this is your first time running MCPAN, you should propably update
CPAN bundle first! (sudo perl -MCPAN -e 'install CPAN')
2. install fwsnort (release 1.1)
Code:
cd /tmp && wget http://cipherdyne.org/fwsnort/download/fwsnort-1.1.tar.bz2
tar xvf fwsnort-1.1.tar.bz2 && cd fwsnort-1.1
sudo perl install.pl
Note: If asked to download latest snort sigs, type yes
2.1 modify fwsnort.conf
Code:
sudo sudo vi /etc/fwsnort/fwsnort.conf
and change line:
unameCmd /bin/uname;
3. install psad
Code:
sudo apt-get update && sudo apt-get install psad
Note: apt will also install necessary dependencies
3.1 configure psad
Code:
sudo vi /etc/psad/psad.conf
Note: adjust this settings to your requirements:
HOSTNAME _CHANGEME_;
HOME_NET NOT_USED; ### only one interface on my laptop!
ALERTING_METHODS noemail;
Don't touch the rest of default settings for your initial tests.
4. run bastille to create the necessary hardened environment (answers below
reflect NOT the most secured environment, but at least a good start!)
Note: answer carefully all questions to your needs, especially in
the firewall section - this is needed because psad is based on iptables ;-)
You should have a proper firewall script anyway - highly recommended on
any auditors laptop !
Any changes can easiely adjusted through the bastille config file
/etc/Bastille/bastille-firewall.cfg
5. restart syslogd, start iptables & psad
Code:
sudo /etc/init.d/sysklogd restart & sudo /etc/init.d/bastille-firewall && sudo /etc/init.d/psad start
Note: It is also good, to update on a regular base the psad signatures
- manual like sudo psad --sig-update or via crontab.
default psad log directory: cd /var/log/psad/
To see latest port scan activities, just execute:
Note: for any detected ip address there will be a separate directory
with a lot of useful details (/var/log/psad/{attackers ip})
Special Note:
If you wanna create some visualization like that one you see at cipherdyne.org,
execute following steps:
install afterglow:
Code:
cd /opt/{your install dir} && wget http://downloads.sourceforge.net/project/afterglow/AfterGlow%201.x/1.5.9/afterglow-1.5.9.tar.gz?use_mirror=freefr
tar xvf afterglow-1.5.9.tar.gz && cd afterglow/src/perl
now run the iptables log export and redirect stdout to afterglow magic:
Code:
psad --CSV --CSV-fields "src dst dp" --CSV-max 1000 \
-m /var/log/kern.log \
|perl graph/afterglow.pl parsers/color.properties \
|neato -Tgif -o iptables_graph.gif
/opt/kde3/bin/kview iptables_graph.gif
Note: adjust the color.properties file for your environment!
more examples: Honeynet Scan30 challenge visualization
Happy packet-watching!
/brtw2003
Originally Posted by brtw2003
Let me know does setting this up affect your pen testing or the performance of your machine in any way?
Host-based intrusion detection using psad
Posting Permissions