Securing Debian Manual
Appendix C - Setting up a stand-alone IDS

You can easily set up a dedicated Debian system as a stand-alone Intrusion Detection System using snort.

Some guidelines:

• Install a base Debian system and select no additional packages.

• Download and manually (with dpkg) install necessary packages (see installed packages list below).

• Download and install ACID (Analysis Console for Intrusion Databases).

ACID is currently packaged for Debian as acidlab. It provides a graphical WWW interface to snort's output. It can also be downloaded from http://www.cert.org/kb/acid/, http://acidlab.sourceforge.net or http://www.andrew.cmu.edu/~rdanyliw/snort/. You might also want to read the Snort Statistics HOWTO.

This system should be set up with at least two interfaces: one interface connected to a management LAN (for accessing the results and maintaining the system), and one interface with no IP address attached to the network segment being analyzed.

The standard Debian /etc/network/interfaces file normally used to configure network cards cannot be used, since the ifup and ifdown programs expect an IP address. Instead, simply use ifconfig eth0 up.

Besides the base installation, acidlab also depends on the packages php4 and apache among others. Download the following packages (Note: the versions might vary depending on which Debian distribution you are using, this list is from Debian woody September 2001):

     ACID-0.9.5b9.tar.gz
     adduser_3.39_all.deb
     apache-common_1.3.20-1_i386.deb
     apache_1.3.20-1_i386.deb
     debconf_0.9.77_all.deb
     dialog_0.9a-20010527-1_i386.deb
     fileutils_4.1-2_i386.deb
     klogd_1.4.1-2_i386.deb
     libbz2-1.0_1.0.1-10_i386.deb
     libc6_2.2.3-6_i386.deb
     libdb2_2.7.7-8_i386.deb
     libdbd-mysql-perl_1.2216-2_i386.deb
     libdbi-perl_1.18-1_i386.deb
     libexpat1_1.95.1-5_i386.deb
     libgdbmg1_1.7.3-27_i386.deb
     libmm11_1.1.3-4_i386.deb
     libmysqlclient10_3.23.39-3_i386.deb
     libncurses5_5.2.20010318-2_i386.deb
     libpcap0_0.6.2-1_i386.deb
     libpcre3_3.4-1_i386.deb
     libreadline4_4.2-3_i386.deb 
     libstdc++2.10-glibc2.2_2.95.4-0.010703_i386.deb
     logrotate_3.5.4-2_i386.deb
     mime-support_3.11-1_all.deb
     mysql-client_3.23.39-3_i386.deb
     mysql-common_3.23.39-3.1_all.deb
     mysql-server_3.23.39-3_i386.deb
     perl-base_5.6.1-5_i386.deb
     perl-modules_5.6.1-5_all.deb
     perl_5.6.1-5_i386.deb
     php4-mysql_4.0.6-4_i386.deb
     php4_4.0.6-1_i386.deb
     php4_4.0.6-4_i386.deb
     snort_1.7-9_i386.deb
     sysklogd_1.4.1-2_i386.deb
     zlib1g_1.1.3-15_i386.deb

Installed packages (dpkg -l):

     ii  adduser        3.39
     ii  ae             962-26
     ii  apache         1.3.20-1
     ii  apache-common  1.3.20-1
     ii  apt            0.3.19
     ii  base-config    0.33.2
     ii  base-files     2.2.0
     ii  base-passwd    3.1.10
     ii  bash           2.03-6
     ii  bsdutils       2.10f-5.1
     ii  console-data   1999.08.29-11.
     ii  console-tools  0.2.3-10.3
     ii  console-tools- 0.2.3-10.3
     ii  cron           3.0pl1-57.2
     ii  debconf        0.9.77
     ii  debianutils    1.13.3
     ii  dialog         0.9a-20010527-
     ii  diff           2.7-21
     ii  dpkg           1.6.15
     ii  e2fsprogs      1.18-3.0
     ii  elvis-tiny     1.4-11
     ii  fbset          2.1-6
     ii  fdflush        1.0.1-5
     ii  fdutils        5.3-3   
     ii  fileutils      4.1-2   
     ii  findutils      4.1-40
     ii  ftp            0.10-3.1
     ii  gettext-base   0.10.35-13
     ii  grep           2.4.2-1
     ii  gzip           1.2.4-33
     ii  hostname       2.07
     ii  isapnptools    1.21-2
     ii  joe            2.8-15.2  
     ii  klogd          1.4.1-2   
     ii  ldso           1.9.11-9   
     ii  libbz2-1.0     1.0.1-10
     ii  libc6          2.2.3-6
     ii  libdb2         2.7.7-8
     ii  libdbd-mysql-p 1.2216-2
     ii  libdbi-perl    1.18-1
     ii  libexpat1      1.95.1-5
     ii  libgdbmg1      1.7.3-27
     ii  libmm11        1.1.3-4
     ii  libmysqlclient 3.23.39-3
     ii  libncurses5    5.2.20010318-2
     ii  libnewt0       0.50-7  
     ii  libpam-modules 0.72-9
     ii  libpam-runtime 0.72-9  
     ii  libpam0g       0.72-9
     ii  libpcap0       0.6.2-1
     ii  libpcre3       3.4-1   
     ii  libpopt0       1.4-1.1
     ii  libreadline4   4.2-3 
     ii  libssl09       0.9.4-5   
     ii  libstdc++2.10  2.95.2-13 
     ii  libstdc++2.10- 2.95.4-0.01070
     ii  libwrap0       7.6-4   
     ii  lilo           21.4.3-2
     ii  locales        2.1.3-18
     ii  login          19990827-20
     ii  makedev        2.3.1-46.2
     ii  mawk           1.3.3-5
     ii  mbr            1.1.2-1 
     ii  mime-support   3.11-1 
     ii  modutils       2.3.11-13.1
     ii  mount          2.10f-5.1
     ii  mysql-client   3.23.39-3
     ii  mysql-common   3.23.39-3.1
     ii  mysql-server   3.23.39-3
     ii  ncurses-base   5.0-6.0potato1
     ii  ncurses-bin    5.0-6.0potato1
     ii  netbase        3.18-4  
     ii  passwd         19990827-20
     ii  pciutils       2.1.2-2
     ii  perl           5.6.1-5   
     ii  perl-base      5.6.1-5   
     ii  perl-modules   5.6.1-5
     ii  php4           4.0.6-4   
     ii  php4-mysql     4.0.6-4 
     ii  ppp            2.3.11-1.4
     ii  pppconfig      2.0.5
     ii  procps         2.0.6-5   
     ii  psmisc         19-2   
     ii  pump           0.7.3-2 
     ii  sed            3.02-5 
     ii  setserial      2.17-16
     ii  shellutils     2.0-7
     ii  slang1         1.3.9-1  
     ii  snort          1.7-9
     ii  ssh            1.2.3-9.3
     ii  sysklogd       1.4.1-2
     ii  syslinux       1.48-2
     ii  sysvinit       2.78-4  
     ii  tar            1.13.17-2  
     ii  tasksel        1.0-10 
     ii  tcpd           7.6-4     
     ii  telnet         0.16-4potato.1
     ii  textutils      2.0-2  
     ii  update         2.11-1    
     ii  util-linux     2.10f-5.1
     ii  zlib1g         1.1.3-15

Securing Debian Manual