L!NUX & SECUR!TY's !NDUSTRY: NIDS and NIPS

Network Intrusion Detection system (NIDS) and Network Intrusion Prevention System (NIPS) are systems that mainly used to report and alarm when the attack discovered through network's activities. As to response against these attacks, NIDS/NIPS systems have four options that one of them will be reported in network activities' run time based on quality of NIDS/NIPS product. They are:

True Positive: occurs when there is true attack, and reported properly. This IDS/IPS's AIM ;-)
True Negative: occurs when did not report and alarm for legitimate network's activities.It is normal.
False Positive: occurs when reported and alarmed for legitimate network's activities.this is A CUMBERSOME, need more searching to make sure it is attack or not. Unfortunately, most or all NIDS/NIPS are suffering form this drawback.
False Negative: occurs when it failed to detect malicious network activity. This is A DISASTER!!!!

Now we need how to configure and adapt NIDS/NIPS's systems to avoid or eliminate the attacks. For example, to response against SYN Flood and UDP Flood, Snort product will be used here. Before applying that, let us see how can prevent SYN and UDP Floods:

SYN Flood:

As we know TCP protocol has 6 flags that they control the TCP's connections. Their functions explained here. Each TCP's connection needs Handshake that consists of three processes that should be conducted to establish the connection as following:

(1) Host A ------ SYN -----> Host B
(2) Host A <--- SYN,ACK ---- Host B
(3) Host A ----- ACK ----> Host B
Host A <- Conn. Estab -> Host B

What does a hacker do? Actually, he sends a lot of SYN (first step) and receive (SYN, ACK) packet. But he wall not send back ACK (step three) to server that causes the server or a victim to be waiting to answer all of these SYN packets that cause DOS/DDOS. Preventing of DOS/DDOS against TCP Handshake can be solved by one of two solutions:

Terminate just the current connection: that allow next connection form same source. This can be done by send to RST flag to SYN (first step) to reset the connection. To implemet that add rst_snd, or rst_rcv, or rst_all depend on your case to Snort's rules.
Block a acker for all time. This can be applied by installing Snort configured with inline feature.

Whereas UDP Flood is sending a lot of packets against a protocol's port that cause DOS/DDOS. Such of this flood can be prevented by sending based on the case one of the following packets:

icmp_net, icmp_host, icmp_port, and icmp_all

last packets report to a hacker the destination is not available that stop or terminate his connections caused DOS/DDOS.

The following part explains the installation and configuration's steps of Snort in order to meet DOS/DDOS's prevention:

First, be a root:

sudo -i
enter a password

Then, install the packages:

apt-get install build-essential libpcap0.8-dev libmysqlclient15-dev mysql-client-5.0 mysql-server-5.0 bison flex apache2 libapache2-mod-php5 php5-gd php5-mysql libphp-adodb php-pear libc6-dev g++ gcc pcregrep libpcre3-dev

Next, change to Snort's directory as setup it:

cd /home/mohd/Desktop/snort-2.8.4.1

then type:

./configure --enable-dynamicplugin --with-mysql

If there is no error, type make (wait until this operation end) then type make install. At this point the installation is finished, now we need to adapt and configure Snort. Type in terminal (you are root) the following commands:

adduser snort
enter password

then type chsh :

chsh snort

and change shell of /bin/true.

next, lock the account:

passwd snort -l

Now, make Snort' folders and configurations, type in trminal:

mkdir -p /etc/snort/rules /var/log/snort

then type each one individually:

chown -R root.snort /var/log/snort
chmod -R 770 /var/log/snort
cp etc/* /etc/snort/
cp rules/* /etc/snort/rules

Edit snort.conf file to make some of adaptations:

gedit /etc/snort/snort.conf &

search RULE_PATH line and replace it with:

var RULE_PATH /etc/snort/rules

At this point, snort's installation is finished, now we need to check it. Type in terminal (the output should be appear like the picture):

snort -v

If everything is OK, now we need to configure database and ACID web site to simplify the reading of attacks. Following part depicts that:

change to /var/www directory

ch /var/www

download the base package:

wget http://easynews.dl.sourceforge.net/sourceforge/secureideas/base-1.3.9.tar.gz

tar xvfz base-1.3.9.tar.gz

then allow apache web server to read it's files:

chown -R www-data.www-data base

Install a few Pear modules:

pear install Image_Color Image_Canvas-alpha Image_Graph-alpha

next, open Firefox browser to install (setup) base's web application:

in Firefox type http://localhost/base will present 5 screens. Press continue to start.

First screen: Enter the path to ADODB that is /usr/share/php/adodb

Second screen: enter data base information as it appear it the picture

Third screen: enter admin username/password
Fourth screen: press Create BASE AG button.

Fifth screen: done, now press step 5 link (in the bottom)

at this point, BASE's web application is configured ;-)

Now, we need to configure data base to log snort's packets into data base and use it by previous bast web application; as following:

Login in MySQL data base as a root:

mysql -u root -p
enter a password

then, type:

mysql> create database snort;
mysql> grant all privileges on snort.* to 'snort'@'localhost' identified by 'password';
mysql> exit

then, export data base schemas:

mysql -D snort -u snort -p < /home/mohd/Desktop/snort-2.8.4.1/schemas/create_mysql enter snort's password (that is password).