Wednesday, August 06, 2008

Build your own IDS or IPS - Part 1 -Installing and Configuring ACID

This is from one of my old documentation, After going through my three part how to you should have your own IDS/IPS running and logging to MySQL DB

Part 1 -Installing and Configuring ACID
Part 2 - Installing and Configuring Snort with MySQL
Part 3 - Installing and Configuring MySQL for ACID and Snort

ACID stands for Analysis Console for Intrusion Databases (ACID) is a PHP-based analysis engine to search and process a database of security events generated by various IDSes, firewalls, and network monitoring tools.

Snort is an open source network intrusion prevention and detection system utilizing a rule-driven language, which combines the benefits of signature, protocol and anomaly based inspection methods. With millions of downloads to date, Snort is the most widely deployed intrusion detection and prevention technology worldwide and has become the de facto standard for the industry.


now lets BEGIN!

----------------------------------------------------------
PHPlot Installation Might be required by Acid
----------------------------------------------------------

root@router2:/var/www/htdocs# tar -xjvf phplot-5.0rc1.tar.bz2

----------------------------------------------------------
JdGraph Installation required by Acid
http://www.aditus.nu/jpgraph/jpdownload.php
----------------------------------------------------------

root@router2:/var/www/htdocs# tar -xjvf jpgraph-1.16.tar.gz

----------------------------------------------------------
AdoDB Installation required by ACid
----------------------------------------------------------

root@router2:/var/www/htdocs# tar -xzvf adodb453.tgz

----------------
Configuring ADODB

ADODB is a required part for ACID. It delivers database connection support for PHP based programs like ACID.

Install ADODB in a directory available for your webserver. in our case /var/www/htdocs/adodb/.

In ADODB version 1.31 there is a bug in adodb.inc.php which may still exist in newer versions. You'll have to change the path in line 40 to reflect your local requirements. It's vital to delete the command dirname() completely so that it looks like this:

===================================================================
if (!defined('_ADODB_LAYER')) {
define('_ADODB_LAYER',1);

define('ADODB_FETCH_DEFAULT',0);
define('ADODB_FETCH_NUM',1);
define('ADODB_FETCH_ASSOC',2);
define('ADODB_FETCH_BOTH',3);

GLOBAL
$ADODB_vers, // database version
$ADODB_Database, // last database driver used
$ADODB_COUNTRECS, // count number of records returned - slows down query
$ADODB_CACHE_DIR, // directory to cache recordsets
$ADODB_FETCH_MODE; // DEFAULT, NUM, ASSOC or BOTH. Default follows native driver default...

$ADODB_FETCH_MODE = ADODB_FETCH_DEFAULT;
/**
* SET THE VALUE BELOW TO THE DIRECTORY WHERE THIS FILE RESIDES
* ADODB_RootPath has been renamed ADODB_DIR
*/
----- edit -----> if (!defined('ADODB_DIR')) define('ADODB_DIR','/var/www/html/adodb'); <------ edit --------- ====== That's all what has to be done with ADODB.

--- ACID Installation with Mysql Support--------------

root@router2:/var/www/htdocs# tar -xzvf acid-0.9.6b23.tar.gz


---- Configuring ACID

As stated before ACID needs a couple of additional programs installed to work correctly. While a database system like MySQL version 3.23+, a webserver with PHP 4.0.2+ support like apache with the PHP module mod_php and ADODB version 0.93+ are required, the graphics library gd version 1.8+ and PHPlot version 4.4.6+ are optional but recommended. Since Apache, the PHP module and gd are almost always included and installed with any Linux distribution they are not covered in this document.

For snort 1.8+ you'll need at least ACID 0.9.6b13. ACID is developed rapidly. So you should always have a look at ACID's homepage if a newer version exists. Install ACID into a directory visible to your webserver like /var/www/html/acid/. In /var/www/htdocs/acid/acid_conf.php you'll have to edit some variables to suit your environment.

First of all define the database type in the variable DBtype. Next define all alert_* and archive_* variables. In ChartLib_path you define the path to JpGraph, in our case /var/www/htdocs/jpgraph-1.16/src. The last variable you have to define is portscan_file where you put in the complete path and filename of snort's portscan logfile. All other variables should be sufficient for now. You can edit them to suit your needs. Here's the config I use: When first calling ACID via your browser you'll get a hint that you have to install ACID support in the chosen database. Click on Setup and ACID should create the required entries in the database. If everything is set up correctly you'll get all informations which are currently in the database, normally nothing at this time ;) Try to trigger some snort rules with snot (see section above) or e.g. nmap (see http://www.nmap.org/, a portscanner with many more capabilities) or nessus (see http://www.nessus.org/, a security scanner to find vulnerabilities of a system).


Now on to
Part 2 - Installing and Configuring Snort with MySQL

Part 1 -Installing and Configuring ACID
Part 2 - Installing and Configuring Snort with MySQL
Part 3 - Installing and Configuring MySQL for ACID and Snort





1 comment:

oakleeman said...

These instructions appear to be pretty old but for the most part they still apply.

If you want an easier solution you might give EasyIDS a try: http://www.skynet-solutions.net/easyids

For suggestion and concerns E-mail