INSTALL IPS(SNORT) WITH EasyIDS and Guardian

I/Intro

An Intrusion prevention system (IPS) is a network security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. Network-based IPS, for example, will operate in-line to monitor all network traffic for malicious code or attacks . When an attack is detected, it can drop the offending packets while still allowing all other traffic to pass. Intrusion prevention technology is considered by some to be an extension of intrusion detection (IDS) technology

II/INSTALL

Step 1:Install IDS as http://conheotiensinh.blogspot.com/2009/12/install-ids-in-centos-with-5-minutes.html

Step 2:IPS – Guardian

Guardian is a security program which works in conjunction with Snort to automaticly update firewall rules based on alerts generated by Snort.
The updated firewall rules block all incoming data from the IP address of the attacking machine (the machine which caused Snort to generate an alert.
There is also logic in place which pervents blocking important machines, such as DNS servers, gateways, and whatever else you want.

Step 3:

Go to http://www.chaotic.org/guardian/ to download Guardian. The current version as at this writing is version 1.7.
#wget http://www.chaotic.org/guardian/guardian-1.7.tar.gz
#tar -xzvf guardian-1.7.tar.gz
#cd guardian-1.7
#cp guardian.pl /usr/local/bin/
#cp scripts/iptables_block.sh /usr/local/bin/guardian_block.sh
#cp scripts/iptables_unblock.sh /usr/local/bin/guardian_unblock.sh
#cp guardian.conf /etc/snort/
#touch /etc/snort/guardian.ignore
#touch /etc/snort/guardian.target
#touch /var/log/snort/guardian.log

Step 4:

edit /etc/snort/guardian.conf change some variables

HostIpAddr xxx.xxx.xxx.xxx (IP snort monitor)
Interface ETH01 (interface snort monitor)
HostGatewayByte 75
Logfile /var/log/snort/guardian.log
AlertFile /var/log/messages
IgnoreFile /etc/snort/guardian.ignore
TargetFile /etc/snort/guardian.target
TimeLimit 86400

Step 5:
Edit /usr/local/bin/guardian_block.sh change some variables(this shell will block ip attacker and alert mail to test@conheotiensinh.co.cc )


source=$1
interface=$2

/sbin/iptables -I INPUT -s $source -i $interface -j DROP
/sbin/iptables -I FORWARD -s $source -i $interface -j DROP
echo "$source is blocked!" | mail -s "Snort alert is blocked" test@conheotiensinh.co.cc

Step 6:

Edit /usr/local/bin/guardian_unblock.sh change some variables(this shell will delete ip attaker from block ip and alert mail to test@conheotiensinh.co.cc)


source=$1
interface=$2

/sbin/iptables -D INPUT -s $source -i $interface -j DROP
/sbin/iptables -D FORWARD -s $source -i $interface -j DROP

echo "$source is blocked for 24 hours! It is released!" | mail -s "Snort alert is released" test@conheotiensinh.co.cc

Step 7:

Edit /etc/snort/guardian.target

add ip (snort monitor)

Step 8:
Edit /etc/snort/guardian.ignore

add ip 127.0.0.1

Step 9:

Edit /etc/snort/snort.conf
uncomment “output alert_syslog: LOG_AUTH LOG_ALERT”

service snort restart

Step 10:create file shell guardian.sh

#————— CUT HERE —————–#

#!/bin/bash

start()
{
export PATH=$PATH:/usr/local/bin
/usr/local/bin/guardian.pl -c /etc/snort/guardian.conf
}

stop()
{
ps aux | grep 'guardian.pl *-c' 2>&1 > /dev/null
if [ $? -eq 0 ];
then
kill `ps aux | grep 'guardian.pl *-c' | awk '{print $2}'`
else
echo "Guardian is not running ....."
fi
}

status()
{
ps aux | grep 'guardian.pl *-c' 2>&1 > /dev/null
if [ $? -eq 0 ];
then
echo "Guardian is Running ....."
else
echo "Guardian is not Running ...."
fi
}

case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
status)
status;;
*)
echo $"Usage: $0 {start|stop|restart|status}"
esac

Step 11:

chmod +x guardian.sh
cp guardian.sh /usr/local/bin/guardian.sh


/usr/local/bin/guardian.sh start

Step 12:test

use nmap test


#nmap -v -sS xxx.xxx.xxx.xxx

Beside you can use Easy IDS as IPS with other Firewall:FreeBSD using IPFW,Checkpoint, PIX....use SSH copy rule to firewall

Please prefer:http://www.chaotic.org/guardian/