HOWTO : Intrusion Detection System made easy

An Intrusion Detection System (IDS) is software and/or hardware designed to detect unwanted attempts at accessing, manipulating, and/or disabling of computer system, mainly through a network, such as the internet. These attempts may take the form of attacks, as examples, by crackers, malware and/or disgruntled employees.

EasyIDS is currently built from CentOS 4.6 and Snort. It is a passive system. EasyIDS is installed to a dedicated personal computer. It is very easy to setup or almost nothing to setup. For the installation and setup please refer to her website Documentation section.

EasyIDS at least requires two network interface cards (NICs), 384MB RAM or more and 8GB hard drive or larger. The system can be configure by mean of web GUI with your browser.

I put my EasyIDS behind my ZeroShell, a firewalled PC-based router, and connected to the other servers and clients by switches.

Home Network with Passive IDS

Home Network with Passive IDS

Switch with port mirroring is very expensive and hub is hardly to be purchased in Hong Kong nowadays. You can make a DIY network TAP according to this link.

The colour code of the cable and jack (I purchased 4 CLIPSAL jacks and 1 CLIPSAL panel) :
1 = orange/white
2 = orange
3 = green/white
4 = blue
5 = blue/white
6 = green
7 = brown/white
8 = brown

8 7 3 6
4 5 2 1

*If you have unplug and replug the cable(s), you should reboot your EasyIDS; otherwise, it will not work properly.

I am now working on turning the EasyIDS to be an Intrusion Prevention System (IPS).

Security is very important even at home!

Reference link :
IDS/IPS placement on home network
Construction and use of passive Ethernet TAP
Simple SOHO IDS with Snort & a DIY Network TAP
Building an Ethernet TAP

5 Responses

  1. […] (1) Router (2) NAS – Part I (Introduction) (3) NAS – Part II (Samba) (4) NAS – Part III (vsFTPd) (5) NAS – Part IV (BitTorrent) (6) NAS – Part IV(a) (BitTorrent) (7) NAS – Part V (System Tunning) (8) NAS – Part VI (ClamAV) (9) NAS – Part VII (Music Server) (10) IP-PBX (VoIP server) (11) Intrusion Detection System – IDS (Optional) […]

  2. Hi Samiux,

    regarding the network TAP, is it a must? Can’t you use ARP Spoofing and redirect all traffic through your box (with ip_forward enabled) to the gateway? Like this, all traffic shall flow through your box and you can capture the whole data.

    Why don’t you do it this way? Whats the advantage of using a TAP rather than the technique above?

    best regards,
    rul3z

  3. rul3z,

    Please read this document at http://www.snort.org/docs/100Mb_tapping1.pdf

    The above document is talking about using a TAP and a switch that equipped with port mirroring for capturing the data from the outside world. You can see everything but it is noisy.

    As switch with port mirroring is very expensive for me (I am very poor), I use a DIY TAP for learning and studying purpose. For production, I suggest to use TAP with port mirror function switch.

    EasyIDS is based on CentOS and Snort. Snort is an Intrusion Detection System that working with rules. It needs to analysis the data with the rules to detect if it is an attack or not. TAP is a tool to sniff the data from the outside world.

    As far as I know, ARP Spoofing is a kind of attack under the rules of Snort.

    That’s what I understand so far. I am still studying Snort. It is a very powerful tool.

    Samiux

  4. Ok Samiux,

    I have no complain to SNORT or EasyIDS but what I wanted to know is why don’t we just use ARP Spoofing without the need to build/buy a network TAP. Because even if you need to listen from the outside I think if you opposite the ARP Spoof you can get that too (Not 100% sure).

    I hope you update us with what you get further from your study.

    Thank you for the Document, and I wish you get rich one day, you really deserve it ;)

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: