Homebrew Intrusion Detection Systems

Chris Kuethe

his article is not about how to install Snort, tcpdump, NFR, or any other collection of bits that may reside in your $PATH. This article will discuss how to make all your tools and toys play nicely together. Other articles may have introduced you to the tools of the trade, Snort and tcpdump being two of the most popular tools. You've learned how to install them, but not much more than that. In brief, network intrusion detection is the "grey science" of analyzing network traffic anomalies. This implies that you have a relatively good baseline of normal traffic.

Generally, network intrusion detection systems are the collection of hardware, software, and personnel used to capture, display, and analyze traffic. Picking the best hardware and software is fairly simple. Network intrusion detection is certainly not infallible; the packets you see are interesting, but it is up to you to decide why they are interesting and whether this is cause for concern. As such, there are only general guidelines, not recipes. Intrusion detection can be a lot of fun, and even rudimentary intrusion detection capabilities can make the cleanup, and prevention, of a compromise a simpler task.

Many sites now have some form of traffic control in place, ranging from tcp-wrappered daemons to very restrictive packet filters and carefully written proxies. An excellent way to begin the journey into the world of intrusion detection is to tune your NIDS to watch for attempts to circumvent traffic policy and actual policy violations. With the freely available tools and some practice, you will be able to detect very subtle attacks.

Hardware

Network intrusion detection requires processing a huge amount of data, thus your system will need to be tuned for excellent disk and network I/O performance.