In our last column, we talked about the dangers of distributed denial-of-service attacks and the need to install intrusion detection hardware. This week we'll start putting such a system together.
First, get your hands on a desktop system that isn't being used. You don't need fancy video or sound cards -- a bare-bones unit will do just fine. We used a Dell OptiPlex with a 300 MHz Pentium II CPU. But don't scrimp on the memory. 128 MB is the minimum, though 256 MB is better. Disk space isn't critical for what we'll be asking the system to do; as long as you have at least 4 GB, you'll be fine.
You'll need a good 10/100 network interface card to make this unit shine. Don't cut corners; a dime-store NIC can really bog the system down. We used D-Link's DFE-530TX. Install the NIC before you configure the OS -- that way, it will be autodetected.
We used Red Hat Linux 6.1 for the operating system. Follow the instructions for a basic installation. You don't need X Window support, but it comes in handy for remote configuration, so we recommend installing it.
Finish up by configuring the NIC. You don't want your intrusion detection system changing IP addresses, so assign a static IP address. Don't forget to configure TCP Wrapper, a utility that lets you restrict access to your system to a limited group of workstations. A hacked intrusion detection system won't be of much use to you.
Once you've followed the instructions above, reboot the system. Power the box up, put it on the network, and make sure all the software is functioning. If everything checks out, download a copy of the Snort packet sniffer and logger and install it. You'll need to have libpcap in place in order for Snort to work.
If you've gotten this far, you're almost ready to rock. Follow the examples in the Snort documentation and get comfortable with the application. In our next installment, we'll begin writing some Snort rules that help you detect the bad guys before they can do you wrong.