Wednesday, January 11, 2012

NIDS with psad and fwsnort

Introduction

psad and fwsnort are a pair of light weight tools which can be used as an effective NIDS.

    psad home page
    fwsnort home page

psad is a set of lightweight daemons that monitor network traffic (iptables logs) for port scans and/or suspicious activity. psad also has the potential to actively respond to potential threats and can be configured to automagically blacklist naughty ip addresses.

fwsnort, as the name implies, converts snort rules to iptables. fwsnort first evaluates your current firewall and only adds rules for accepted traffic. By default, fwsnort logs suspicious traffic, and psad, as above, monitors the logs.

Both tools, psad and fwsnort, assume you understand iptables or at least can configure iptables. If you need a quick review of iptables see my iptables page or other online reference.

Note: Most of these commands are run as root.

Install psad

psad is in the Debian, Fedora, and Ubuntu repositories and you may install pasd with apt-get / yum .

The disadvantage of installing from the repositories is that Debian/Ubuntu install a number of dependencies (bastille) or, in the case of Fedora 13, the psad package has a few bugs.

IMO it is almost as easy to simply install from "source". This is easy to do and is essentially running a perl script and answering a few questions.
Install the perl dependencies

Although the dependencies are the same, the package names vary between deb and rpm systems. gcc is required to compile psad and wget is used by both psad and fwsnort to update the respective rule sets.


Debian / Ubuntu

Using any method, install the following packages:

sudo apt-get -y install libcarp-clan-perl libdate-calc-perl \
libiptables-chainmgr-perl libiptables-parse-perl libnetwork-ipv4addr-perl \
libunix-syslog-perl libbit-vector-perl gcc wget

Read more: Bodhizazen.net
QR: psad

Posted via email from Jasper-Net