|
|
|
COMPLETE SETUP GUIDE
EasyIDS is an all-inclusive Snort IDS solution that comes on a bootable CD. It makes the process of bringing up a network IDS easy. This document details, step by step, how to install and configure EasyIDS. It includes information on how to enable/disable rulesets, update Snort rules, and other useful applications.
1.0 - Hardware Requirements:
EasyIDS requires a dedicated computer compatible with Centos Linux that has 384MB+ of RAM, a 8GB+ hard drive, and 2 network interface cards (NICs). One NIC (eth0) should be plugged into a DHCP enabled switch and the other (eth1) should be plugged into either a mirrored port on your switch or into a dumb hub placed between your firewall and the internet. If you don't know which NIC is eth0 then plug both NICs into your DHCP enabled switch. After install you will be shown upon login the IP address that you will browse to from another computer. Unplug NICs one at a time until you can't access the web interface and that will be eth0.
2.0 - Download and install EasyIDS:
Download the EasyIDS ISO file from SourceForge, burn the ISO to a cd, & boot to it.
Warning: A dedicated computer is required for EasyIDS.
Installing EasyIDS will format your computer and erase your hard drive.
Press Enter at the boot prompt, select your keyboard layout & timezone, and enter your root password twice. This is the password you will use when logging into the Linux command line. The system will eject the cd which you'll need to take out of the drive and after two reboots your system will be ready for use.
3.0 - Setting up EasyIDS:
Log into your EasyIDS system with the username root and the password you entered during installation. When you login the system will show you what IP address it got from the DHCP server. To access the EasyIDS GUI browse to https://IPADDRESS from another computer and login with the username admin and the password password.
3.1 - Network Configuration:
GUI config:
As of version 0.3 network settings can be configured via the web interface.
Click the "Settings" link in the menu.
Click the "Network Settings" link under EasyIDS configuration.
Change the default Interface Type from DHCP to STATIC.
Enter the IP information for your EasyIDS system.
Example:
IP: 192.168.200.16
Netmask: 255.255.255.0
Primary DNS: 192.168.200.254
Secondary DNS: 192.168.200.253
Gateway: 192.168.200.254
Click Save. Depending on the changes made, EasyIDS will either reboot or redirect you to the new IP address.
Manual config:
Set up IP address information by typing netconfig in the Linux CLI.
Select Yes when prompted about setting up networking.
Select to use DHCP if you want (not recommended) otherwise, enter the IP information for your EasyIDS system.
Example:
IP: 192.168.200.16
Netmask: 255.255.255.0
Gateway: 192.168.200.254
Primary nameserver: 192.168.200.254
Click OK and either reboot by typing reboot or restart the network by typing service network restart. You'll also need to restart Snort by typing service snort restart.
Secondary DNS nameserver - if you would like to add a secondary DNS nameserver type nano /etc/resolv.conf and add a line nameserver (ip address) underneath the primary nameserver information. To exit nano, hit CTRL+X and then Y when asked if you want to save.
3.2 - Hostname Configuration:
GUI config:
As of version 0.3 the hostname can be configured via the web interface.
Click the "Settings" link in the menu.
Click the "Network Settings" link under EasyIDS configuration.
Change the hostname as desired.
Click Save and EasyIDS will reboot.
Manual config:
Set up the hostname by typing set-hostname in the Linux CLI. Enter the new hostname when prompted and either reboot or login again to see the changes.
4.0 - General Setup & Security:
4.1 - Change default passwords:
GUI config:
As of version 0.3 most passwords can be configured via the web interface.
Click on the "Settings" link in the menu.
Click the "Passwords" link under EasyIDS configuration.
Enter the new desired admin password twice and click Save.
Login when prompted with the username admin and the password you just entered.
To change the root password, follow the above directions and enter the new desired root password twice and click Save.
Follow the manual directions below for changing the default mysql root password.
Manual config:
To update the web interface admin password type passwd-admin and enter the new password twice.
To update the root password type passwd and enter the new password twice.
You should also change the default mysql root user password by typing mysqladmin -u root -p password new_password, replacing "new_password" with your desired password. When you hit Enter you will be prompted for a password where you will enter the default mysql root user password of "passw0rd" (with a zero).
4.2 - Backups:
GUI config:
As of version 0.3 EasyIDS can perform manual local backups and scheduled local/remote FTP backups and restore one of these backups when needed. It is also possible to reset EasyIDS to factory defaults.
Click the "Settings" link in the menu.
Click the "Backups" link under EasyIDS configuration.
The following options can be specified before the creation of the backup:
Remark - Add some information to help you remember the reason for this backup.
Current configuration - Include the current configuration of EasyIDS (/etc/easyids).
Include database dumps - Include most recent dump of your Snort database.
Include log files - Include current log files.
Include log archives - Include old log files.
To create a manual local backup enter a remark (if desired), check the files to include, and click the "Create New Backup" button.
To enable scheduled backups change the "Enabled" dropdown from No to Yes
Specify whether you want a Daily or Weekly backup schedule
Specify whether you want Local or Remote FTP backups.
If Local is chosen then specify the number of backups to keep.
If Remote FTP is chosen the specify the remote ftp host, username, and password.
Check which files to include and click Submit.
The list of local backup sets displays the backup sets that are currently on EasyIDS. From here you can export, restore, or delete your EasyIDS backups. The backups are sorted by date with the latest backup on top.
The Creation Date column shows when the backup was created and the Content column shows a list of flags describing what the backup contains:
S - This flag means that this backup contains settings.
D - This flag means that this backup contains a database dump.
L - This flag means that this backup contains log files.
A - This flag means that this backup contains older log files.
C - This flag means that this backup was created automatically by schedule.
Clicking on the disk in the Action column will download the file to your computer, deleting on the trash can will delete the backup set, and clicking the last symbol will restore the backup set.
To import a backup you will need to use an SFTP client such as WinSCP to copy the backup to the /var/www/html/backups directory. You will need to refresh the Backup webpage before you can see the newly imported backup.
You can reset EasyIDS to factory defaults by pressing the Factory Defaults button at the bottom of the backup webpage. Upon reboot the configuration and database will be the same as it was after initial installation.
5.0 - Snort Configuration:
5.1 - Network Settings:
The Snort network settings are already configured upon install to log suspicious external traffic to and from your local network but can be easily adjusted to help reduce false positives. Fine-tuning network settings and explicity specifying the various servers will increase the performance of Snort and reduce the load on your EasyIDS server.
5.2 - Rulesets:
Spending a little time fine-tuning the rulesets can also increase the performance of Snort. You should spend a bit of time before-hand evaluating what servers and services are present on your network and only enable rulesets for those services. For example, if you do not have any coldfusion servers on your network then you do not need to enable the web-coldfusion ruleset.
Click the "Settings" link in the menu.
Click the "Rulesets" link under Snort configuration.
Enable/disable the specific rulesets for the services on your network.
Hit the "Save" button to return to the settings page and restart Snort.
5.3 - Notify Settings:
As of version 0.3 EasyIDS can send e-mail notifications of intrusion attempts. E-mail notifications can be configured for both during work and after work schedules.
Click the "Settings" link in the menu.
Click the "Notify Settings" link under Snort configuration.
Change the "Enabled" drop-down from No to Yes to enable E-mail alerts.
Enter the e-mail address that notifications should go to during work.
Enter the e-mail address that notifications should go to after work.
Check the boxes corresponding to work days.
Specify when the workday starts.
Specify when the workday ends.
Enter the Sender address.
Enter the return address.
Specify what priority level for which you want to be notified.
Enter the subject for e-mail notifications.
Enter the message that should make up the e-mail.
Turn thresholding on to receive one e-mail for multiples of the same alert.
Hit the "Save" button to return to the settings page.
5.4 - Rule Updates:
EasyIDS comes with the Sourcefire VRT Certified Unregistered User Rules released under the old Snort VRT Rules License Agreement. It is recommended that you configure EasyIDS to use more up-to-date rules immediately after install. Every install of EasyIDS updates the rules at random times to reduce the load on the Snort.org servers.
Click the "Settings" link in the menu.
Click the "Rules Updates" link under Snort configuration.
Determine which set of rules you wish to use based upon the descriptions given. If you wish to utilize the Sourcefire VRT Certified Registered or Subscriber Rules, you will need to register on http://www.snort.org. Acknowledge the license, receive your password by email, and login to the site. Go to USER PREFERENCES and press the 'Get Code' button at the bottom. Copy your code into the field labeled "Oink Code".
Alternatively, if you would prefer to use the Bleeding Snort rules you will need to manually edit the snort.conf file to add the rules for Snort to use them.
If you would like to receive an e-mail whenever rules are updated then check the box and enter a subject and e-mail address. When you have made all desired changes hit the "Save" button to return to the settings page.
5.5 - Thresholds:
More details to come....
|
|