Centos Server Guide

1 Introduction

intrusion detection and incident response are key components in securing funds for any organization. What actually falls? How to detect intrusions? And as a response to the invasion of our key areas for this article.

In order to detect intrusions must be aware of the normal behavior of their network infrastructure, so that any abnormal behavior can be seen easily as a drop of blue ink in a glass of water and you need a drug that attacks the other will disappear. There are many systems and scenarios by which you can detect intrusions in network infrastructure.
Intrusion Detection System (IDS) can detect intrusion in a host or entire subnet included in the environment, the deployment of IDS depends on the design of your network infrastructure. That this article applies let me explain how this is included in the IDS environment.

A host based IDS (HIDS)

B. Network-based IDS (NIDS)

let's discuss the NIDS, let's say you have a DMZ where you have FTP, HTTP and the database server is located, and you are worried about intrusion from the Internet facing interface of your perimeter devices.

To monitor the intrusion on the environment prompted break package on the level of detection, the choice I would recommend the de facto standard for intrusion detection, Snort!

2 Analysis Package

scenario, a security analyst must follow the intrusion caused by the server, the answer is the placement of Intrusion Detection System in the DMZ.

Preparing the Order Box:

Snort is the de facto standard for intrusion detection, and I'd say for intrusion prevention as well. Sources can be downloaded from the Snort snort.org that is freely available. At this stage I am assuming that you have downloaded Snort, let me clear the open source Snort Intrusion Detection System that runs on Linux / Unix platforms.
I would also recommend that you prepare a Linux machine (it is recommended to use Cent OS Server) to stop all unnecessary services you have the MySQL server, PHP and Apache installed on your sever, team up to Linux in the first place. When you are done with their solid Cent OS server, but it's time for snort
Un tar your Snort source you just downloaded to / usr / snort and use the following command to install Snort

snort configuration in accordance with

# configure - with-mysql - enable-dynamicplugin

Once you get any errors during configuration and then build a configuration with the make command

If you do not show the error then it's time for a fresh install is configured with a snort make install commands when you are done with installing Snort Snort need to add a user to use the following commands

groupadd snort
useradd-g snort snort-s / sbin / nologin
Now you must create the following directories.
mkdir / etc / snort
mkdir / etc / snort / rules
mkdir / var / log / snort
cd etc / (you do not it's not / etc etc to the DIR the Snort source code)
* cp / etc / snort
in the telephone directory the source code would be / etc / rules directory now copy all the rules to / etc / snort / rules directory
At this stage of your IDS is installed now need to learn how to use this effectively IDS to detect intrusions come in your DMZ.
This is a high level, if you want to learn more about installing and configuring Snort, please read the user manual is available on snort.org

Snort runs in four different modes which are as follows.

the Sniffer mode, which simply reads packets from the network and displays them for you in a continuous stream on the console (screen ).

A packet logger mode, which logs packets to disk.

A packet logger mode, which logs packets to disk.

A Network Intrusion Detection System (NIDS) mode, the most complex and configurable configuration, allowing Snort to analyze network traffic for matches against a user-defined rules and conducts several activities based on what he sees.

Let me explain how Snort, one by one ..
First, let's start with the basics. If you only want to print TCP / IP packet header on the screen (eg sniffer mode), try this:

# Snort-v

This command will run Snort and just show the IP and TCP / UDP / ICMP headers, nothing else. If you want to see application data in transit, try the following:

# Snort-acting

This suggests Snort package for data display, and headers. If you want even more descriptive display, showing the data link layer headers, do this:

# Snort-VDE

(As an aside, these switches can be broken and smashed together in any combination of the last command can also be typed as:. I will do the same thing .)

# Snort-d-v-e

What we want to detect intrusions in the DMZ will run Snort as an intrusion detection system, to allow for network intrusion detection (NIDS) mode, so you do not have to record every packet sent to the wire to try this command Snort-dev-l. / Log-h 192.168.1.0/24-c snort.conf

where snort.conf is the name of your rules file that will apply the rules configured in the snort.conf file to each packet to decide if action under the rules in a file type should be taken. If you do not specify an output directory for the program will default to / var / log / snort.
One thing to note about the last command line is that if Snort will use the long way as IDS,-v switch should be left on the command line because of the speed. The screen is a slow place to write data packets can be dropped, and the writing on the screen.
It is also not necessary to record the data link headers for most applications, so that you can usually omit the-e switch, too.

Snort-d-h 192.168.1.0/24-l. / Log-c snort.conf

This will configure Snort to run in its most basic NIDS form, log packets that trigger rules specified in the snort.conf in plain ASCII to disk using a hierarchical directory structure (such as packet logger mode ).

Now as I have covered enough to snort let me explain that Snort will alert when they detect intrusion as I mentioned at the beginning of a document that can only detect intrusions that you know the normal behavior of your network.
When Snort generates an alert message will usually look like this:

[**] [116:56:1] (snort_decoder): T / TCP Detected [**]

The first number is the Generator ID, this tells the user what component of Snort generated this alert. For a list of gids, please read the etc / generators in the Snort source. In this case, we know that this event came from `` decode''(116) component of Snort.

The second number is the Snort ID (sometimes referred to as Signature ID). For a list of preprocessor SIDS, please see etc / gen-msg.map. Rules-based SIDS are written directly into the rules of the SID option. In this case, 56 is the T / TCP event.

The third number is the revision ID. This number is primarily used when writing signatures, as each design rule increment this number with the speed option.

Summary:

This is Part 1 of intrusion packet level analysis, I will be setting up further in the second part of