HxHippy

Intrusion Detection Systems

Host and network-based intrusion detection with OSSEC, Snort, and Suricata.

Last updated: 2025-01-15

Intrusion Detection Systems

Monitor systems and networks for malicious activity.

IDS Types

Type Scope Examples
HIDS Host-based OSSEC, AIDE, Samhain
NIDS Network-based Snort, Suricata, Zeek
Hybrid Both Security Onion

OSSEC (HIDS)

Installation

# Add repository
curl -s https://updates.atomicorp.com/installers/atomic | sudo bash

# Install OSSEC
sudo apt install ossec-hids-server
# or for agent
sudo apt install ossec-hids-agent

Configuration

<!-- /var/ossec/etc/ossec.conf -->
<ossec_config>
  <global>
    <email_notification>yes</email_notification>
    <email_to>[email protected]</email_to>
    <smtp_server>localhost</smtp_server>
  </global>

  <syscheck>
    <frequency>7200</frequency>
    <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
    <ignore>/etc/mtab</ignore>
  </syscheck>

  <rootcheck>
    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
    <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
  </rootcheck>
</ossec_config>

Managing OSSEC

# Start OSSEC
sudo /var/ossec/bin/ossec-control start

# Check status
sudo /var/ossec/bin/ossec-control status

# View alerts
sudo tail -f /var/ossec/logs/alerts/alerts.log

# Add agent
sudo /var/ossec/bin/manage_agents

Suricata (NIDS)

Installation

# Install Suricata
sudo apt install suricata

# Update rules
sudo suricata-update

Configuration

# /etc/suricata/suricata.yaml
vars:
  address-groups:
    HOME_NET: "[192.168.0.0/16,10.0.0.0/8]"
    EXTERNAL_NET: "!$HOME_NET"

af-packet:
  - interface: eth0

outputs:
  - eve-log:
      enabled: yes
      filename: eve.json
      types:
        - alert
        - dns
        - http
        - tls

Running Suricata

# Start Suricata
sudo systemctl start suricata

# Test configuration
sudo suricata -T -c /etc/suricata/suricata.yaml

# View alerts
sudo tail -f /var/log/suricata/fast.log

Snort

Basic Setup

# Install Snort
sudo apt install snort

# Configure network
sudo dpkg-reconfigure snort

# Test rules
sudo snort -T -c /etc/snort/snort.conf

Alert Response

# Common response actions
# 1. Block IP at firewall
iptables -A INPUT -s <IP> -j DROP

# 2. Isolate host
# 3. Capture additional traffic
tcpdump -i eth0 host <IP> -w capture.pcap

# 4. Review logs
grep <IP> /var/log/suricata/eve.json | jq .

IDS Best Practices

Practice Description
Tune rules Reduce false positives
Regular updates Keep signatures current
Log centralization Forward to SIEM
Response playbooks Document incident response
advanced Auditing Updated 2025-01-15
  • ids
  • intrusion detection
  • ossec
  • snort
  • suricata
  • hids
  • nids