Related to our title a NIDS must be some kind of a sniffer. NIDS stands for Network Intrusion Detection System. So an NIDS must be some sniffer, which detects hostile attemps to scan or intrude into your network. For the folks who don't know what a sniffer is: A sniffer is a program, which listens to the network traffic. It's somehow like tapping a telephone line, but instead listening to a phone call a sniffer looks at each paket travelling on your network. To be usefull most sniffers allow to record network pakets containing specific patterns like Password or Login. A NIDS is just the same, but instead of recording pakets with one or two given patterns, it uses a whole database - commonly called attack pattern database - to record pakets and generate alerts. The statements in the attack pattern database are called rules and contain beneath the patterns some actions to be performed when a pattern is recognized.
There are some free NIDS around: Very well known is Shadow1 and the other one is Snort. It's the second one I want to promote here. The author of Snort - Marty Roesch - calls it a lightweight NIDS and it's really lightweight, which means for me:
This all means you can have it running on each machine in your network without slowing down your machines too much. This gives you additional security even if you are behind a company firewall. You could even catch a malicious insider that way.
The official release of Snort is 1.5. You can find it in the FreeBSD-ports. Just download the port and do the standard commands:
make install
to install it. The attack database consists of some files ending in -lib, which should be copied to /usr/local/share/snort/.
In the attack pattern database files there is some variable HOME_NET which has to be set to the ip address of your network, for example:
There are also some include-statements which should be changed in the following way:
include $CFG_PATH/web-lib
include $CFG_PATH/overflow-lib
include $CFG_PATH/misc-lib
include $CFG_PATH/scan-lib
include $CFG_PATH/backdoor-lib
There are some internet sides where you can get new rules, which are updated on a regular base; one is WhiteHats. There attack pattern database file is called vision.conf. The other one is RapidNet. I don't know which side has the better rules file, but the authors of these rules are both very engaged, are in contact and are exchanging information, so I suppose it's more a matter of personal taste than real technical differences.
Snort writes into a logging directory. So you should create a directory for example:
To start Snort during booting my FreeBSD machine I inserted the following line into /etc/rc.local:
SNORT=/usr/local/bin/snort
CONFIG=/usr/local/share/snort/snort-lib
LOG=/var/log/snort
$SNORT -D -d -c $CONFIG -l $LOG &
Since Snort is like a sniffer it can do special jobs for you beneath beeing a network intrusion system. For example if you are interested in who is using telnet instead of ssh you could use a rule like:
or if you would like to investigate the DNS traffic on your machine:
alert udp any any -> $DNS_server 53(msg:"DNS traffic via udp'';)
or if you want to know whether your users are violating your company's policy of internet usage by reading sex sites2:
alert tcp any 80 -> !$HOME_NET any (msg:"POLICY - xxx request"; content:"xxx";)
alert tcp any any -> !$HOME_NET 80 (msg:"POLICY - SEX Surfer"; flags:PA; content:"Host|3A|"; content:"SEX";)
alert tcp any any -> !$HOME_NET 80 (msg:"POLICY - PLAYBOY Surfer"; flags:PA; content:"Host|3A|"; content:"playboy.com";)
alert tcp $HOME_NET any -> !$HOME_NET 5190 (msg:"AOL - Chat Active on Network"; flags:A;)
There are a lot of possibilities, but you should not intrude in your user privacy without a specific reason and without a specific permission or order. Otherwise you might find yourself deep in trouble.
Snort is really easy to use and does a very could job in securing your network. If you want additional informations have a look at:
and the authors homepage:
1Look at www.sans.org if you are interested in Shadow.
2Be carefull, you must have the permissions to do that!