hardware and network configuration to setting up rules, this guide discusses the easy steps VARs should take to deploy Snort on a customer network running Red Hat Enterprise Linux 5.
Intrusion detection and intrusion prevention systems (IDS and IPS, respectively) provide the ability to inspect and analyze network traffic and either generate alerts or drop traffic in the event that an attack or a malicious event is detected. They are two of a number of controls, such as firewalls, designed to protect your network from a variety of attacks. Both IDS and IPS are commonly deployed in organization's perimeters to protect externally-facing assets, like Internet-facing Web services. They can also be deployed internally to ward off attacks or virus outbreaks. For example, an IPS sensor that can be configured to stop the spread of a virus or worm may be located in-line on an internal network choke point.
We're going to demonstrate how to quickly install and run the open source IDS sensor Snort on Red Hat Enterprise Linux 5 (RHEL 5). The instructions below will also generally work for RHEL 4, CentOS 4 and 5, as well as Fedora Core 5 and 6.
For many environments, especially in the small-medium business market but also in many larger corporate and government clients, Snort remains the ubiquitous IDS tool. It is fast and easy to set up and runs on most commercially available hardware, including platforms from IBM, HP, Sun and commodity PC hardware. It is a signature-based, (which Snort calls "rules") IDS engine that is easy to deploy and easy to tune. Rules are open and can be readily edited, and writing and adding your own rules requires only a little learning. Snort is also capable of outputting data in a variety of formats: binary (called "Unified"), syslog, to a file and to a SQL database (one of Oracle, PostgreSQL, MySQL or Microsoft SQL Server). Many users commonly output data to a SQL database.
Intrusion detection with Snort on Red Hat Enterprise Linux 5
Introduction to network intrusion detection and prevention using Snort
Snort hardware and network setup requirements
Snort's installation prerequisites
Compiling Snort and configuration with MySQL
Configuring Snort and setting up rules
Editing the snort.conf file
About the author
James Turnbull works for the National Australia Bank as a Security Architect. He is also the author of Hardening Linux, which focuses on hardening Linux hosts including the base operating system, file systems, firewalling, connections, logging, testing your security and securing a number of common applications including e-mail, FTP and DNS. He is an experienced infrastructure architect with a background in Linux/Unix, AS/400, Windows, and storage systems. He has been involved in security consulting, infrastructure security design, SLA and service definition and has an abiding interest in security metrics and measurement.
This was first published in July 2007