Results 1 to 4 of 4

Thread: Host-based intrusion detection using psad

Hybrid View

  1. #1

    Default Host-based intrusion detection using psad

    hi,

    WHY building a HIDS?
    -well, if you have a persistent BT4 installation and using it for your daily (pentest) work, you should well-protect your laptop and especially you should know who is watching you ;-)

    background: psad - Intrusion Detection with iptables, iptables Log Analysis, iptables Policy Analysis "psad is a collection of three lightweight system daemons (two main daemons and one helper daemon) that run on Linux machines and analyze iptables log messages to detect port scans and other suspicious traffic"


    1. install fwsnort perl dependencies
    Code:
    sudo perl -MCPAN -e 'install HTML::Template'
    	sudo perl -MCPAN -e 'install Net::IPv4Addr'
    Note: if this is your first time running MCPAN, you should propably update
    CPAN bundle first! (sudo perl -MCPAN -e 'install CPAN')

    2. install fwsnort (release 1.1)
    Code:
    cd /tmp && wget http://cipherdyne.org/fwsnort/download/fwsnort-1.1.tar.bz2
       tar xvf fwsnort-1.1.tar.bz2 && cd fwsnort-1.1
       sudo perl install.pl
    Note: If asked to download latest snort sigs, type yes

    2.1 modify fwsnort.conf
    Code:
    sudo sudo vi /etc/fwsnort/fwsnort.conf
    and change line:
    unameCmd /bin/uname;

    3. install psad
    Code:
    sudo apt-get update && sudo apt-get install psad
    Note: apt will also install necessary dependencies

    3.1 configure psad
    Code:
    sudo vi /etc/psad/psad.conf
    Note: adjust this settings to your requirements:
    HOSTNAME _CHANGEME_;
    HOME_NET NOT_USED; ### only one interface on my laptop!
    ALERTING_METHODS noemail;

    Don't touch the rest of default settings for your initial tests.


    4. run bastille to create the necessary hardened environment (answers below
    reflect NOT the most secured environment, but at least a good start!)

    Code:
    sudo bastille
    Note: answer carefully all questions to your needs, especially in
    the firewall section - this is needed because psad is based on iptables ;-)
    You should have a proper firewall script anyway - highly recommended on
    any auditors laptop !
    Any changes can easiely adjusted through the bastille config file
    /etc/Bastille/bastille-firewall.cfg


    5. restart syslogd, start iptables & psad
    Code:
    sudo /etc/init.d/sysklogd restart & sudo /etc/init.d/bastille-firewall && sudo /etc/init.d/psad start
    Note: It is also good, to update on a regular base the psad signatures
    - manual like sudo psad --sig-update or via crontab.

    default psad log directory: cd /var/log/psad/

    To see latest port scan activities, just execute:
    Code:
    sudo psad -S
    Note: for any detected ip address there will be a separate directory
    with a lot of useful details (/var/log/psad/{attackers ip})


    Special Note:
    If you wanna create some visualization like that one you see at cipherdyne.org,
    execute following steps:

    install afterglow:
    Code:
    cd /opt/{your install dir} && wget http://downloads.sourceforge.net/project/afterglow/AfterGlow%201.x/1.5.9/afterglow-1.5.9.tar.gz?use_mirror=freefr
    	tar xvf afterglow-1.5.9.tar.gz && cd afterglow/src/perl
    now run the iptables log export and redirect stdout to afterglow magic:
    Code:
    psad --CSV --CSV-fields "src dst dp" --CSV-max 1000 \
    	-m /var/log/kern.log \
    	|perl graph/afterglow.pl parsers/color.properties \
    	|neato -Tgif -o iptables_graph.gif
    
    	/opt/kde3/bin/kview iptables_graph.gif
    Note: adjust the color.properties file for your environment!
    more examples: Honeynet Scan30 challenge visualization

    Happy packet-watching!

    /brtw2003
    Last edited by brtw2003; 02-23-2010 at 08:26 PM.

  2. #2
    Junior Member
    Join Date
    Feb 2010
    Location
    on this page
    Posts
    34

    Default Re: Host-based intrusion detection using psad

    Quote Originally Posted by brtw2003 View Post
    -well, if you have a persistent BT4 installation and using it for your daily (pentest) work, you should well-protect your laptop and especially you should know who is watiching you ;-)
    Could not agree more with you brtw2003 Thanks for writing this up and posting it very useful. Let me know does setting this up affect your pen testing or the performance of your machine in any way?

  3. #3

    Default Re: Host-based intrusion detection using psad

    Quote Originally Posted by chap0 View Post
    Could not agree more with you brtw2003 Thanks for writing this up and posting it very useful. Let me know does setting this up affect your pen testing or the performance of your machine in any way?
    hi.

    not really, because psad daemon is just using the iptables log feature + fifo to redirect logs for realtime parsing.
    Of course it can have an effect if you are targeted for some kind of DDoS attacks and your iptables/fifo is flooded
    with log entries ;-)


    I also don't use automated blocking of src ip's nor email alerting..

    /brtw2003

  4. #4
    Junior Member alank's Avatar
    Join Date
    Jan 2010
    Location
    uk
    Posts
    29

    Default Re: Host-based intrusion detection using psad

    how do i save the edited scripts like
    HOSTNAME _CHANGEME_;
    HOME_NET NOT_USED; ### only one interface on my laptop!
    ALERTING_METHODS noemail;


    thanks

Similar Threads

  1. BT4 VMWare on XP Host
    By mattyj1085 in forum Beginners Forum
    Replies: 1
    Last Post: 02-24-2010, 07:17 AM
  2. HELP: Multi Mode WLAN based on a Fake AP
    By maminej in forum Beginners Forum
    Replies: 2
    Last Post: 01-31-2010, 03:18 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •