Intrusion Detection Systems
Monitor systems and networks for malicious activity.
IDS Types
| Type |
Scope |
Examples |
| HIDS |
Host-based |
OSSEC, AIDE, Samhain |
| NIDS |
Network-based |
Snort, Suricata, Zeek |
| Hybrid |
Both |
Security Onion |
OSSEC (HIDS)
Installation
# Add repository
curl -s https://updates.atomicorp.com/installers/atomic | sudo bash
# Install OSSEC
sudo apt install ossec-hids-server
# or for agent
sudo apt install ossec-hids-agent
Configuration
<!-- /var/ossec/etc/ossec.conf -->
<ossec_config>
<global>
<email_notification>yes</email_notification>
<email_to>[email protected]</email_to>
<smtp_server>localhost</smtp_server>
</global>
<syscheck>
<frequency>7200</frequency>
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<ignore>/etc/mtab</ignore>
</syscheck>
<rootcheck>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
</rootcheck>
</ossec_config>
Managing OSSEC
# Start OSSEC
sudo /var/ossec/bin/ossec-control start
# Check status
sudo /var/ossec/bin/ossec-control status
# View alerts
sudo tail -f /var/ossec/logs/alerts/alerts.log
# Add agent
sudo /var/ossec/bin/manage_agents
Suricata (NIDS)
Installation
# Install Suricata
sudo apt install suricata
# Update rules
sudo suricata-update
Configuration
# /etc/suricata/suricata.yaml
vars:
address-groups:
HOME_NET: "[192.168.0.0/16,10.0.0.0/8]"
EXTERNAL_NET: "!$HOME_NET"
af-packet:
- interface: eth0
outputs:
- eve-log:
enabled: yes
filename: eve.json
types:
- alert
- dns
- http
- tls
Running Suricata
# Start Suricata
sudo systemctl start suricata
# Test configuration
sudo suricata -T -c /etc/suricata/suricata.yaml
# View alerts
sudo tail -f /var/log/suricata/fast.log
Snort
Basic Setup
# Install Snort
sudo apt install snort
# Configure network
sudo dpkg-reconfigure snort
# Test rules
sudo snort -T -c /etc/snort/snort.conf
Alert Response
# Common response actions
# 1. Block IP at firewall
iptables -A INPUT -s <IP> -j DROP
# 2. Isolate host
# 3. Capture additional traffic
tcpdump -i eth0 host <IP> -w capture.pcap
# 4. Review logs
grep <IP> /var/log/suricata/eve.json | jq .
IDS Best Practices
| Practice |
Description |
| Tune rules |
Reduce false positives |
| Regular updates |
Keep signatures current |
| Log centralization |
Forward to SIEM |
| Response playbooks |
Document incident response |
advanced | Auditing | Updated 2025-01-15
- ids
- intrusion detection
- ossec
- snort
- suricata
- hids
- nids