LAk -> Intrusion Prevention System
Getting Started

The document will help you understand the concept of the IPS and as to how it actually functions. It is a combination of a Firewall which operates on Layer 4 and an IDS which can detect malicious content upto Layer 7. Hence there are two sections to getting an IPS started.
  1. Configuring and running IPTables
  2. Configuring and running snort_inline

This distribution contains the following files

convert-IPS.sh
The convert-IPS.sh script is written to convert snort rules database into a snort_inline database. The latest version of the snortrules.tar.gz file has to be downloaded into the LAk-IPS directory. The archive has to be unzipped
# tar -zxvf snortrules-stable.tar.gz
Next copy convert-IPS.sh to the rules directory and then execute the script with proper permission
# ./convert-IPS.sh

LAk-NAT.sh
The LAk-NAT.sh is a sub-script that is called by the main LAk-startup.sh script. This helps you configure IPTables in the NAT mode. The script is interactive and hence needs no editing.

LAk-snort_inline.sh
The LAk-snort_inline.sh is a snort_inline startup script. This again is also a sub-script as it is also called into action by the LAk-startup.sh One could also run this file seperately to start snort_inline. To run the file use the command
# ./LAk-snort_inline.sh

LAk-startup.sh
This is the main startup script that one needs to run to get started with an IPS. This script first resets the existing network. Then it configures the interfaces according to the users choice and then calls upon the LAk-NAT.sh to configure IPTables and LAk-snort_inline.sh to start snort_inline. Command to start the script is
# ./LAk-startup.sh

rc.firewall.IPS-NAT
The rc.firewall.IPS-NAT script is a configurable script that could be edited to configure IPTables. The paper on Open Source: IPS uses this script to configure the firewalling. Hence this is the long way home, but once clear be forever. This is a rip off of the rc.firewall script written by Rob McMillen from the Honeynet Project. It has been modified to run an IPS.

snort_inline
This is a pre-compiled binary of snort_inline made available by the Honeynet Project. Snort Inline was used in the project for attacker Jailing purposes (Data Control). The same binary is been included in this archive to make it simpler to run.

snort_inline.conf
This file is a must have to run snort_inline. It contains all the configuration parameters required to run the inline IDS. It contains vars like the INTERNAL_NET & EXTERNAL_NET where one could define the scope of the IPS. It also contains the logging format to finetune the IPS.

Powered By
Sourceforge.net Logo
Last Updated: July 15, 2003 20:05