HOWTO_NIDS

What's that?

Please take a look to NIDS.

System setup

Here is an example of how your system can be configured.

The NIDS is a server with two ethernet interfaces, that is located in the red zone of your network. The red zone is a high risk because of increased probability of attacks from Internet. Everything in you private network is important and must be hidden from the public Internet. If someone tries to enter your private network, it's important that your NIDS discovers it and takes measure, such as turn off the firewall or disconnect it from internet.

Howto connect network interfaces

The NIDS has two interfaces:

• The first interface is connected to the private network and is useful to reach the server and configure it.
• The second interface sniffs and checks all the traffic (incoming and outgoing) of the Firewall. The simplest way to connect this interface is using a HUB device.

Howto configure network interfaces

As shown in the figure, network interfaces must be configured as follows:

• eth0 is connected to the private network, so it needs a private ip such as 192.168.x.y
• eth1 is configured in promiscuous mode, so it can sniff all packets connected to the hub; in this case packets from and to the firewall.

 
iface_eth0="192.168.x.y broadcast 192.168.x.255 netmask 255.255.255.0"
iface_eth1="0.0.0.0 broadcast 255.255.255.255 netmask 0.0.0.0"
gateway="eth0/192.168.x.254"
  

SetUp Snort to do this work

Take a look first at HOWTO Snort.

You need to edit the next file if you want setup a Network IDS.

# var
var HOME_NET 192.168.0.0/24 # you're subnet
var EXTERNAL_NET !$HOME_NET
# preprocessors
preprocessor frag2
preprocessor stream4: detect_scans detect_state_problems detect_scans disable_evasion_alerts
preprocessor stream4_reassemble: ports all
preprocessor http_decode: 80 8080 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace
preprocessor rpc_decode: 111 32771
preprocessor bo: -nobrute
preprocessor telnet_decode