Results 1 to 4 of 4

Thread: Host-based intrusion detection using psad

Threaded View

  1. #1

    Default Host-based intrusion detection using psad

    hi,

    WHY building a HIDS?
    -well, if you have a persistent BT4 installation and using it for your daily (pentest) work, you should well-protect your laptop and especially you should know who is watching you ;-)

    background: psad - Intrusion Detection with iptables, iptables Log Analysis, iptables Policy Analysis "psad is a collection of three lightweight system daemons (two main daemons and one helper daemon) that run on Linux machines and analyze iptables log messages to detect port scans and other suspicious traffic"


    1. install fwsnort perl dependencies
    Code:
    sudo perl -MCPAN -e 'install HTML::Template'
    	sudo perl -MCPAN -e 'install Net::IPv4Addr'
    Note: if this is your first time running MCPAN, you should propably update
    CPAN bundle first! (sudo perl -MCPAN -e 'install CPAN')

    2. install fwsnort (release 1.1)
    Code:
    cd /tmp && wget http://cipherdyne.org/fwsnort/download/fwsnort-1.1.tar.bz2
       tar xvf fwsnort-1.1.tar.bz2 && cd fwsnort-1.1
       sudo perl install.pl
    Note: If asked to download latest snort sigs, type yes

    2.1 modify fwsnort.conf
    Code:
    sudo sudo vi /etc/fwsnort/fwsnort.conf
    and change line:
    unameCmd /bin/uname;

    3. install psad
    Code:
    sudo apt-get update && sudo apt-get install psad
    Note: apt will also install necessary dependencies

    3.1 configure psad
    Code:
    sudo vi /etc/psad/psad.conf
    Note: adjust this settings to your requirements:
    HOSTNAME _CHANGEME_;
    HOME_NET NOT_USED; ### only one interface on my laptop!
    ALERTING_METHODS noemail;

    Don't touch the rest of default settings for your initial tests.


    4. run bastille to create the necessary hardened environment (answers below
    reflect NOT the most secured environment, but at least a good start!)

    Code:
    sudo bastille
    Note: answer carefully all questions to your needs, especially in
    the firewall section - this is needed because psad is based on iptables ;-)
    You should have a proper firewall script anyway - highly recommended on
    any auditors laptop !
    Any changes can easiely adjusted through the bastille config file
    /etc/Bastille/bastille-firewall.cfg


    5. restart syslogd, start iptables & psad
    Code:
    sudo /etc/init.d/sysklogd restart & sudo /etc/init.d/bastille-firewall && sudo /etc/init.d/psad start
    Note: It is also good, to update on a regular base the psad signatures
    - manual like sudo psad --sig-update or via crontab.

    default psad log directory: cd /var/log/psad/

    To see latest port scan activities, just execute:
    Code:
    sudo psad -S
    Note: for any detected ip address there will be a separate directory
    with a lot of useful details (/var/log/psad/{attackers ip})


    Special Note:
    If you wanna create some visualization like that one you see at cipherdyne.org,
    execute following steps:

    install afterglow:
    Code:
    cd /opt/{your install dir} && wget http://downloads.sourceforge.net/project/afterglow/AfterGlow%201.x/1.5.9/afterglow-1.5.9.tar.gz?use_mirror=freefr
    	tar xvf afterglow-1.5.9.tar.gz && cd afterglow/src/perl
    now run the iptables log export and redirect stdout to afterglow magic:
    Code:
    psad --CSV --CSV-fields "src dst dp" --CSV-max 1000 \
    	-m /var/log/kern.log \
    	|perl graph/afterglow.pl parsers/color.properties \
    	|neato -Tgif -o iptables_graph.gif
    
    	/opt/kde3/bin/kview iptables_graph.gif
    Note: adjust the color.properties file for your environment!
    more examples: Honeynet Scan30 challenge visualization

    Happy packet-watching!

    /brtw2003
    Last edited by brtw2003; 02-23-2010 at 08:26 PM.

Similar Threads

  1. BT4 VMWare on XP Host
    By mattyj1085 in forum Beginners Forum
    Replies: 1
    Last Post: 02-24-2010, 07:17 AM
  2. HELP: Multi Mode WLAN based on a Fake AP
    By maminej in forum Beginners Forum
    Replies: 2
    Last Post: 01-31-2010, 03:18 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •