Contact us.

Easy IDS

Table of Contents

  1. Fixes
  2. Changelog
  3. Complete Setup Guide
  4. Quick Install Guide
  5. FAQ

Fixes

Hardware Compatibility List


Following the steps below will install the necessary scripts to provide us with feedback about the type of hardware currently installed in your EasyIDS system along with anonymous usage statistics. To install the feedback scripts please perform the following:

wget http://www.skynet-solutions.net/easyids/feedback.tar.gz
tar -xzvf feedback.tar.gz
cd feedback
sh install-hwfeedback.sh
Type INSTALL and press [ENTER]
            

Partial solution to missing ntop graphs


Edit /etc/httpd/conf.d/ntop.http.conf to look like:

SetOutputFilter proxy-html
ProxyHTMLURLMap / /ntop/
ProxyHTMLURLMap /ntop//ntop/ //
ProxyHTMLURLMap /ntop/plugins/ntop/ /ntop/plugins/
RequestHeader unset Accept-Encoding
            

Edit /usr/share/ntop/html/theme.js to look like:

// directory of where all the images are
var cmThemeOfficeBase = '/ntop/';
            

Alternatively you can disable Dag Repository by editing /etc/yum.repos.d/dag.repo:

[dag] name=Dag RPM Repository for Red Hat Enterprise Linux
 baseurl=http://apt.sw.be/redhat/el$releasever/en/$basearch/dag
 gpgcheck=1
 enabled=0
            
Back to Top

Changelog

December 7, 2009 - v0.4

  • Designed around Centos 5.4 cd1 with updates.
  • Upgraded Snort to 2.8.5.1.
  • Upgraded Snort rulesets to 2.8.
  • Upgraded BASE to customized version 1.4.4.
  • Upgraded ntop to 3.3.8.
  • Added Arpwatch 2.1a13.
  • Upgraded Nmap to 4.11.
  • Added stunnel 4.15.
  • Added network traffic graphs (Daily, Weekly, etc).
  • Added system usage graphs (Daily, Weekly, etc).
  • Modified Snort performance graphs (Daily, Weekly, etc).
  • Web selectable management/monitoring network NICs.
  • Bridging support for inline placement if 3+ NICs.
  • Multiple remote sensor support with Stunnel encryption.
  • Added auto restart of failed services with notification script.
  • Added customized branding and themes.
  • Added upgrade script for future enhancements & replace Snort rule updates script.
  • Added basic user with read-only privileges (user:user,password:easyids).
  • Added web-based system log viewer.
  • Added web-based nmap scanner.
  • Added e-mail alerts on ethernet/ip address changes.
  • Added specific enabling/disabling of individual ruleset rules.
  • Added snort_rules.conf file for inclusion of enabled rulesets.
  • Added emergingthreats.com ruleset option.
  • Modified ruleset update script to only download when source md5 hash changed.
  • Added BASE archive database.

May 5, 2008 - v0.3

  • Designed around Centos 4.6 cd1 with updates.
  • Upgraded Snort to 2.8.0.2.
  • Upgraded BASE to customized version 1.4.0.
  • PMGraph for Snort performance graphs added.
  • Snort threshold/suppression configuration page added.
  • Moved EasyIDS specific configuration files & scripts to /etc/easyids.
  • Added easyids mysql user for database backups & future improvements.
  • Manual/scheduled local & remote FTP backup functionality added.
  • E-mail alert configuration & notification functionality added.
  • Mouseover-style help messages added to web configuration pages.
  • Added unprotected public web folder for future enhancements.
  • Modified Snort rule updates page to replace invalid links.
  • Modified Oinkmaster script to update sid-msg.map files.
  • Modified iptables to allow ping out but not ping in.
  • Updated functions.php, english.lang.php, and main.js.
  • Bash script to perform backups added.
  • Bash script to perform restores added.
  • Disabled Dag Repository to prevent ntop upgrade.

September 24, 2007 - Update 0.2.3

  • Network settings page added.
  • Barnyard configuration page added.
  • Change password page added.
  • Modified set-hostname script.
  • Updated functions.php, english.lang.php, and main.js.

July 30, 2007 - v0.2

  • Designed around Centos 4.5 cd1 with updates.
  • Snort mysql user password randomly generated at install.
  • Upgraded Snort to 2.6.1.5.
  • Removed Snort mysql output.
  • Implemented Barnyard 0.2 with unified output.
  • HTTP request redirects to HTTPS.
  • Apache authentication enabled.
  • GPL Acceptance page added.
  • Menu-driven multi-language capable web application added.
  • Upgraded BASE to customized version 1.3.8.
  • Removed BASE authentication.
  • Moved BASE to /base subdirectory.
  • NTOP proxied through apache.
  • NTOP port 3000 rule removed from Iptables.
  • Added phpSysInfo version 2.5.3.
  • Settings page with service restart added.
  • Snort network configuration page added.
  • Snort ruleset enable/disable page added.
  • Snort rule update configuration page added.
  • System status page with reboot/shutdown added.
  • Configuration file editing page added.
  • JavaSSH Terminal page added.
  • Bash script to change hostname added.
  • Bash script to change web password added.
  • Bash script to set timezone and keyboard type added.

May 3, 2007

  • Initial release
Back to Top

Complete Setup Guide

EasyIDS is an all-inclusive Snort IDS solution that comes on a bootable CD. It makes the process of bringing up a network IDS easy. This document details, step by step, how to install and configure EasyIDS. It includes information on how to enable/disable rulesets, update Snort rules, and other useful applications.

1.0 - Hardware Requirements:

EasyIDS requires a dedicated computer compatible with Centos Linux that has 384MB+ of RAM, a 8GB+ hard drive, and 2 network interface cards (NICs). One NIC (eth0) should be plugged into a DHCP enabled switch and the other (eth1) should be plugged into either a mirrored port on your switch or into a dumb hub placed between your firewall and the internet. If you don't know which NIC is eth0 then plug both NICs into your DHCP enabled switch. After install you will be shown upon login the IP address that you will browse to from another computer. Unplug NICs one at a time until you can't access the web interface and that will be eth0.

2.0 - Download and install EasyIDS:

Download the EasyIDS ISO file from SourceForge, burn the ISO to a cd, & boot to it.

Warning: A dedicated computer is required for EasyIDS.
Installing EasyIDS will format your computer and erase your hard drive.

Press Enter at the boot prompt, select your keyboard layout & timezone, and enter your root password twice. This is the password you will use when logging into the Linux command line. The system will eject the cd which you'll need to take out of the drive and after two reboots your system will be ready for use.

3.0 - Setting up EasyIDS:

Log into your EasyIDS system with the username root and the password you entered during installation. When you login the system will show you what IP address it got from the DHCP server. To access the EasyIDS GUI browse to https://IPADDRESS from another computer and login with the username "admin" and the password "password".

3.1 - Network Configuration:
GUI config:

As of version 0.3 network settings can be configured via the web interface.

Click the "Settings" link in the menu.
Click the "Network Settings" link under EasyIDS configuration.
Change the default Interface Type from DHCP to STATIC.
Enter the IP information for your EasyIDS system.

Example:

IP: 192.168.200.16
Netmask: 255.255.255.0
Primary DNS: 192.168.200.254
Secondary DNS: 192.168.200.253
Gateway: 192.168.200.254
            

Click Save. Depending on the changes made, EasyIDS will either reboot or redirect you to the new IP address.

Manual config:

Set up IP address information by typing netconfig in the Linux CLI.
Select Yes when prompted about setting up networking.
Select to use DHCP if you want (not recommended) otherwise, enter the IP information for your EasyIDS system.

Example:

IP: 192.168.200.16
Netmask: 255.255.255.0
Gateway: 192.168.200.254
Primary nameserver: 192.168.200.254
            

Click OK and either reboot by typing reboot or restart the network by typing service network restart. You'll also need to restart Snort by typing service snort restart.

Secondary DNS nameserver - if you would like to add a secondary DNS nameserver type nano /etc/resolv.conf and add a line nameserver (ip address) underneath the primary nameserver information. To exit nano, hit CTRL+X and then Y when asked if you want to save.

3.2 - Hostname Configuration:
GUI config:

As of version 0.3 the hostname can be configured via the web interface.

Click the "Settings" link in the menu.
Click the "Network Settings" link under EasyIDS configuration.
Change the hostname as desired.
Click Save and EasyIDS will reboot.

Manual config:

Set up the hostname by typing set-hostname in the Linux CLI. Enter the new hostname when prompted and either reboot or login again to see the changes.

4.0 - General Setup & Security:

4.1 - Change default passwords:
GUI config:

As of version 0.3 most passwords can be configured via the web interface.

Click on the "Settings" link in the menu.
Click the "Passwords" link under EasyIDS configuration.
Enter the new desired admin password twice and click Save.
Login when prompted with the username admin and the password you just entered.

To change the root password, follow the above directions and enter the new desired root password twice and click Save.

Follow the manual directions below for changing the default mysql root password.

Manual config:

To update the web interface admin password type passwd-admin and enter the new password twice.

To update the root password type passwd and enter the new password twice.

You should also change the default mysql root user password by typing mysqladmin -u root -p password new_password, replacing "new_password" with your desired password. When you hit Enter you will be prompted for a password where you will enter the default mysql root user password of "passw0rd" (with a zero).

4.2 - Backups:
GUI config:

As of version 0.3 EasyIDS can perform manual local backups and scheduled local/remote FTP backups and restore one of these backups when needed. It is also possible to reset EasyIDS to factory defaults.

Click the "Settings" link in the menu.
Click the "Backups" link under EasyIDS configuration.

The following options can be specified before the creation of the backup:
Remark - Add some information to help you remember the reason for this backup.
Current configuration - Include the current configuration of EasyIDS (/etc/easyids).
Include database dumps - Include most recent dump of your Snort database.
Include log files - Include current log files.
Include log archives - Include old log files.

To create a manual local backup enter a remark (if desired), check the files to include, and click the "Create New Backup" button.

To enable scheduled backups change the "Enabled" dropdown from No to Yes
Specify whether you want a Daily or Weekly backup schedule
Specify whether you want Local or Remote FTP backups.
If Local is chosen then specify the number of backups to keep.
If Remote FTP is chosen the specify the remote ftp host, username, and password.
Check which files to include and click Submit.

The list of local backup sets displays the backup sets that are currently on EasyIDS. From here you can export, restore, or delete your EasyIDS backups. The backups are sorted by date with the latest backup on top.

The Creation Date column shows when the backup was created and the Content column shows a list of flags describing what the backup contains:
S - This flag means that this backup contains settings.
D - This flag means that this backup contains a database dump.
L - This flag means that this backup contains log files.
A - This flag means that this backup contains older log files.
C - This flag means that this backup was created automatically by schedule.

Clicking on the disk in the Action column will download the file to your computer, deleting on the trash can will delete the backup set, and clicking the last symbol will restore the backup set.

To import a backup you will need to use an SFTP client such as WinSCP to copy the backup to the /var/www/html/backups directory. You will need to refresh the Backup webpage before you can see the newly imported backup.

You can reset EasyIDS to factory defaults by pressing the Factory Defaults button at the bottom of the backup webpage. Upon reboot the configuration and database will be the same as it was after initial installation.

5.0 - Snort Configuration:

5.1 - Network Settings:

The Snort network settings are already configured upon install to log suspicious external traffic to and from your local network but can be easily adjusted to help reduce false positives. Fine-tuning network settings and explicity specifying the various servers will increase the performance of Snort and reduce the load on your EasyIDS server.

5.2 - Rulesets:

Spending a little time fine-tuning the rulesets can also increase the performance of Snort. You should spend a bit of time before-hand evaluating what servers and services are present on your network and only enable rulesets for those services. For example, if you do not have any coldfusion servers on your network then you do not need to enable the web-coldfusion ruleset.

Click the "Settings" link in the menu.
Click the "Rulesets" link under Snort configuration.
Enable/disable the specific rulesets for the services on your network.
Hit the "Save" button to return to the settings page and restart Snort.

5.3 - Notify Settings:

As of version 0.3 EasyIDS can send e-mail notifications of intrusion attempts. E-mail notifications can be configured for both during work and after work schedules.

Click the "Settings" link in the menu.
Click the "Notify Settings" link under Snort configuration.
Change the "Enabled" drop-down from No to Yes to enable E-mail alerts.
Enter the e-mail address that notifications should go to during work.
Enter the e-mail address that notifications should go to after work.
Check the boxes corresponding to work days.
Specify when the workday starts.
Specify when the workday ends.
Enter the Sender address.
Enter the return address.
Specify what priority level for which you want to be notified.
Enter the subject for e-mail notifications.
Enter the message that should make up the e-mail.
Turn thresholding on to receive one e-mail for multiples of the same alert.
Hit the "Save" button to return to the settings page.

5.4 - Rule Updates:

EasyIDS comes with the Sourcefire VRT Certified Unregistered User Rules released under the old Snort VRT Rules License Agreement. It is recommended that you configure EasyIDS to use more up-to-date rules immediately after install. Every install of EasyIDS updates the rules at random times to reduce the load on the Snort.org servers.

Click the "Settings" link in the menu.
Click the "Rules Updates" link under Snort configuration.

Determine which set of rules you wish to use based upon the descriptions given. If you wish to utilize the Sourcefire VRT Certified Registered or Subscriber Rules, you will need to register on http://www.snort.org. Acknowledge the license, receive your password by email, and login to the site. Go to USER PREFERENCES and press the 'Get Code' button at the bottom. Copy your code into the field labeled "Oink Code".

Alternatively, if you would prefer to use the Bleeding Snort rules you will need to manually edit the snort.conf file to add the rules for Snort to use them.

If you would like to receive an e-mail whenever rules are updated then check the box and enter a subject and e-mail address. When you have made all desired changes hit the "Save" button to return to the settings page.

5.5 - Thresholds:

More details to come....

Back to Top

Quick Install Guide

Warning: A dedicated computer is required for EasyIDS.
Installing EasyIDS will format your computer and erase your hard drive.
EasyIDS requires two NICs minimum & MUST be able to get an IP via DHCP at install.
Configuring the network:
One NIC (eth0) should be plugged into a DHCP enabled switch and the other (eth1) should be plugged into either a mirrored port on your switch or into a dumb hub placed between your firewall and the internet. If you don't know which NIC is eth0 then plug both NICs into your DHCP enabled switch. After install you will be shown upon login the IP address that you will browse to from another computer. Unplug NICs one at a time until you can't access the web interface and that will be eth0.

Installing the ISO:

Boot to the install cd on a computer compatible with Centos Linux that has 2 network interface cards (NICs), 384MB+ of RAM, and a 8GB+ hard drive. Press Enter at the boot prompt, select your keyboard layout & timezone, and enter your root password twice. This is the password you will use when logging into the Linux command line. The system will eject the cd which you'll need to take out of the drive and after two reboots your system will be ready for use.

Using the system:

Log into your EasyIDS system with the username root and the password you entered during installation. When you login the system will show you what IP address it got from the DHCP server. To access the EasyIDS GUI browse to https://IPADDRESS from another computer and login with the username admin and the password password.

Back to Top

FAQ


Q Can I install a EasyIDS on a running server?
A No, EasyIDS needs a dedicated machine - physical or virtual. The installer erases the complete hard disk or virtual hard disk.

Q Can I run EasyIDS on VMware?
A Yes, EasyIDS has been tested and confirmed to work on VMWare ESXi.

Q Does EasyIDS work in other languages?
A Yes, but only if the language files are translated first.

Q What does EasyIDS cost?
A Nothing. Nada. Zip. Zero. Zilch....But donations to this project are gladly accepted and greatly appreciated!

Q What is the EasyIDS default password?
A The default username is "admin" and the default password is "password". There is also a read only user account with the username "user" and password "easyids".

Learn more about Easy IDS