This file contains the configuration information of the Network intrusion detection system (nids). The software is a prototype for an intrusion detection system (ids), combining network based and host based ids and not a full fledged intrusion detection system. Requirements : 1. The system is designed and tested to work with Red Hat Linux 6.2 with kernel 2.2.14-26 . The configurator tool provided with the software requires the 'dialog' utility for it's operation. Also all the nodes on the n/w segment must have tcpd (tcp wrapper) installed on them. 2. The system requires a LAN with atleast two nodes connected to same hub. 3. The ids requires superuser access. nids has three parts - 1. Host based system 2. Network based system 3. Configuration utility To install the system unzip and untar the nids.tar file which creats nids directory in the current directory. To compile the system execute the 'compileall' script. The script copies the following files in the nids directory - A - related to the host based system - 1. file.o - it is a file protection kernel module. Once inserted into kernel it adds an extra layer of file security to linux kernel. 2. process.o - it is process protection kernel module 3. hide.o - Actually this module is a part of file security, it hides desired files. 4. test - program to test the process.o module. B - these files are part of the network based subsystem 1. nids - This is the heart of the system - the main server. This is to be executed from only one of the nodes of the network segment. 2. client - This program connects itself to the nids server. 3. rules - it is a sample test perpose server configuration file. 4. ipadd.conf - this file contains the ipaddressess of all the nodes on the network segment to be protected. 5. pseudoserver - this is a test purpose server to be executed from any of the protected nodes. 6. pseudoclient - this is a test purpose client. which simulates attack on the pseudoserver once executed. it can be executed from any computer connected to the same network. C - the configurator configids - it is the configuration tool designed to help administrator to configure the nids system. Configuring the system -------> A The host based system - copy the kernel modules to all the nodes to be protected. Also copy the configurator. Execute the configids. It presents a menu to configure the three kernel modules. 1. File protection demo. First of all select the file protection configuration menu. It displays a file system explorer. Go to the nids/host/file directory using this explorer. This directory contains eight test files test0 to test7. Press F1 selecting file test0 , don't give any of the read, append or truncate permission to this file. Simply press enter key without selecting any check box. The read permission corresponds to hex 4 similarly append to 2 and truncate to 1. The number suffixed to test e.g 0 in test0 gives the ORed permission bits. The permissions to all the eight file can be assigned accoring to their suffix.The file mode dialog box following to the file permission dialog box configures default linux permissions. it can be left unaltered. After this configuration insert the module file.o in the kernel using the command 'insmod file.o'. Now as the test0 file has 0 permission we can not read or write the file. We cannot change the access mode of file. Similarly the test4 if given read only permission, it's contents cannot be altered. After testing remove the module using the command 'rmmod file' . 2. Process protection demo - The folder nids contains 'test' program to demonstarate the process protection. First of all remove all the permissions of this process using the configurator. this can be done by pressing f1 after selecting the test file throught the explorer and leaving all the checkboxes unchecked. Then insert the module process.o into the memory and execute the test. It will display error messages. Now remove the module from memory and try to execute the process once again. This can be done using the command 'rmmod process' . This time the process will be executed properly. As a precaution comment out the reboot function from the file nids/host/process/testprocess.c process. 3. File Hiding : There are few bug in this modules. But still it can serve the demo purpose. Run the configstd tool . Select the files to hide. Insert the module hide.o using 'insmod hide.o' . After this the ls command can not list the protected files. Still the files can be accessed. Remove the module using 'rmmod hide'. B Network based sub - system configuration - In the default configuration the nids is executed using the command 'nids -f rules'. the rules is the default rules file. New rules can be added to the file using the configuretor. for demo this file serves the purpose. In the default configuration the ip address of the nids server is set to 192.168.1.8. At this moment this address is hardcoded. To modify this address required to change the following line of the file nids/networt/server.h. #define SERVER_IP "192.168.1.8" after this modification it is required to recompile the sub-system. This header also contains the port no of the server. The file ipaddr.conf lists the ip addresses of the nodes to be protected. The client program must be invoked from all the nodes mentioned in the ipaddr.conf file. All the nodes mentioned in the ipaddr.conf must be connected to a single hub. For demo execute the pseudoserver from any of the nodes mentioned in the ipaddr.conf . Then execute pseudoclient from any node on the same lan. The pseudoclient sends attack signatures as are configured in the rules file to the pseudoserver. The nids server intercepts this simulated attack and sends, message to the nids client installed on the same node as the pseudoserver. The nids client then logs appropriate messages in the secure log and also configures the tcps by writing to /etc/hosts.deny. The secure logs on the nids server are also altered.