There are a number of good, albeit expensive, commercial intrusion detection products, but the open source world offers a number of high-quality applications for free. In fact, chances are the expensive commercial product you’re thinking of evaluating is based on one or more of them, such as Snort. Snort has long been a popular and reliable open-source IDS, and it gets better with age. Snort + BASE (Basic Analysis and Security Engine) is a potent and effective combination. As good as Snort is, however; you can go one better with psad, the port scan attack detector.
psad works in conjunction with iptables and Snort to provide a complete picture of all the nasties trying to sneak into your network. It performs Nmap-style analysis of packet headers, sends alerts and can automatically block suspicious IP addresses. When you combine psad with fwsnort and iptables logs you can dig into the application layer and do some content analysis. This means you can perform some advanced tasks, such as fingerprinting the remote operating systems from which scans originate, detect buffer overflow attacks, and spot suspicious commands.
A special strength of psad is its forensics abilities. To get the most out of an IDS you must capture and analyze mass quantities of data. psad harmonizes nicely with standard open-source graphing and plotting applications, like AfterGlow and Gnuplot, to give you vivid graphical depictions of attack activities. The best way to run psad is directly on an iptables firewall box, or wherever it has direct access to iptables logs.
psad has a special text status mode for live views of current activities; you can see a sample here. Although psad and Snort are fairly easy to learn, the book “Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort” by Michael Rash puts it all together in a well-written, coherent way.
This article was first published on ServerWatch.com.