White paper network ids and ips deployment Strategies Nicholas Pappas

© SANS Institute 200
8
,
Author retains full rights.
© SANS Institute 200
8
, Author retains full rights.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Network IDS & IPS Deployment Strategies
Create your server key:
openssl genrsa -out /etc/ssl/private/server.key 1024
Next create a signing request:
openssl req -new -key /etc/ssl/private/server.key -out /etc/ssl/private/server.csr
You will be prompted to answer some questions on this step. Now generate a self-
signed certificate:
openssl x509 -req -days 365 -in /etc/ssl/private/server.csr \
-signkey /etc/ssl/private/server.key -out /etc/ssl/server.crt
If you would like to reboot again, you can then test the SSL functionality with 
opening the following url up with a browser on the trusted network.
https://
The result should show Apache's garden variety "It Worked" page. Now remove test 
web content from your filesystem (you don't need it).
rm -r /var/www/htdocs/*
Installed required packages from OpenBSD's ports. NOTE: Some of these may have 
been installed by steps noted above. Even if they have been installed, it doesn't hurt 
to (re)build each of these packages as shown below.
cd /usr/ports/databases/p5-DBI
make install
cd /usr/ports/databases/p5-DBD-mysql
make install
cd /usr/ports/print/freetype
make install
cd /usr/ports/devel/gettext
make install
Nicholas Pappas
56
@ 2021 SANS Institute
Author Retains Full Rights

© SANS Institute 200
8
,
Author retains full rights.
© SANS Institute 200
8
, Author retains full rights.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Network IDS & IPS Deployment Strategies
cd /usr/ports/converters/libiconv
make install
cd /usr/ports/converters/recode
make install
cd /usr/ports/graphics/tiff
make install
cd /usr/ports/www/php4
make install
NOTE: Installing php4 from ports takes a while.
cd /usr/ports/graphics/gd
make install
cd /usr/ports/graphics/png
make install
cd /usr/ports/graphics/jpeg
make install
cd /usr/ports/packages/i386/all
pkg_add php4-pear-4.4.1p2.tgz
Activate PHP
/usr/local/sbin/phpxs -s
cp /usr/local/share/examples/php4/php.ini-dist /var/www/conf/php.ini
Open /var/www/conf/httpd.conf with you favorite editor and uncomment the line
#AddType application/x-httpd-php .php
so that it looks like this:
AddType application/x-httpd-php .php
Nicholas Pappas
57
@ 2021 SANS Institute
Author Retains Full Rights

© SANS Institute 200
8
,
Author retains full rights.
© SANS Institute 200
8
, Author retains full rights.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Network IDS & IPS Deployment Strategies
Add more packages.
cd /usr/ports/packages/i386/all
pkg_add -v php4-gd-4.4.1p5.tgz
/usr/local/sbin/phpxs -a gd
pkg_add -v php4-mysql-4.4.1p1.tgz
/usr/local/sbin/phpxs -a mysql
cd /var/www/htdocs
wget http://easynews.dl.sourceforge.net/sourceforge/secureideas/base-1.3.9.tar.gz
tar -xvzf base-1.3.9.tar.gz
rm base-1.3.9.tar.gz
ln -s base-1.3.9 base
cd base
cp base_conf.php.dist base_conf.php
chmod 640 /var/www/htdocs/base/*.php
chown www /var/www/htdocs/base/*.php
Set the following variables in the file at /var/www/htdocs/base/base_conf.php. 
These variables are in different locations of this file. They are gathered here for 
brevity.
$BASE_urlpath = '/base';
$DBlib_path = '/htdocs/adodb';
$alert_dbname = 'snort';
$alert_host = 'localhost';
$alert_port = '';
$alert_user = 'snort';
$alert_password = 'secret-password';
Save and exit. Next we activate what we need in PEAR.
pear upgrade --force http://pear.php.net/get/Archive_Tar-1.3.2.tgz
http://pear.php.net/get/XML_Parser http://pear.php.net/get/Console_Getopt
pear upgrade --force http://pear.php.net/get/PEAR-1.4.3.tar
pear upgrade PEAR
pear install Structures_Graph
pear install Image_Graph-alpha Image_Canvas-alpha Image_Color Numbers_Roman
Nicholas Pappas
58
@ 2021 SANS Institute
Author Retains Full Rights

© SANS Institute 200
8
,
Author retains full rights.
© SANS Institute 200
8
, Author retains full rights.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Network IDS & IPS Deployment Strategies
pear install --alldeps channel://pear.php.net/Numbers_Words-0.15.0
pear install --alldeps channel://pear.php.net/Image_Graph-0.7.2
cp -r /var/www/pear/Image /var/www/pear/lib/Image/
Install ADODB
cd /var/www/htdocs/
wget http://superb-east.dl.sourceforge.net/sourceforge/adodb/adodb495a.tgz
tar -xvzf adodb495a.tgz
rm adodb495a.tgz
Install JPGraph
cd /var/www/htdocs/
wget http://hem.bredband.net/jpgraph/jpgraph-1.22.tar.gz
tar -xvzf jpgraph-1.22.tar.gz
rm jpgraph-1.22.tar.gz
mkdir /var/www/tmp
chown -R www /var/www/tmp
Now is a good time to restart httpd
/usr/sbin/apachectl stop
/usr/sbin/apachectl startssl
Now create the ACID database so that barnyard starts up successfully. From the 
trusted network, you need to open the link shown below. Open a browser and go to 
https:///base/base_db_setup.php
Then click the button labeled "Create BASE AG" in the "Status" column. Now create a 
user by going to the web interface and clicking on "Administration" and then click 
"Create a user". After filling in the dialog boxes, choose the appropriate role and 
click "Submit Query". Now make one last modification to the file at 
/var/www/htdocs/base/base_conf.php and change the following from:
Nicholas Pappas
59
@ 2021 SANS Institute
Author Retains Full Rights

© SANS Institute 200
8
,
Author retains full rights.
© SANS Institute 200
8
, Author retains full rights.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Network IDS & IPS Deployment Strategies
$Use_Auth_System = 0;
to
$Use_Auth_System = 1;
This simple step enables some very basic authentication and provides yet another 
layer for the bad guys to go through if they want to help monitor your traffic.

Download 2,67 Mb.