Using free network intrusion detection and prevention tools to stop hacks

Vernon Habersetzer, Contributing Writer

By now, you've probably been hit up by every security vendor about their latest network intrusion detection and prevention tools or products, claiming they can do everything from stopping

    Requires Free Membership to View

viruses to reconfiguring your firewalls. Unfortunately, most of the commercial systems will set you back a small fortune. What's a budget-minded security manager to do when some sort of alerting system is needed, especially when the next fiscal year is many months away? There are several free network intrusion detection tools out there to get you on your way to being well-informed when hackers knock at your door.

First, be sure to have a tool in place to analyze network traffic, most importantly near the edge of the network. Snort is, by far, the leading free IDS software available, although commercial versions of Snort are now available as well. Snort can be configured to monitor all network traffic. Typically, you'll want to replicate your Internet inbound traffic to one or more switch-ports (in Cisco terms, you'll span traffic to a port), where a Snort-equipped computer will be running. Your only cost is the computer itself, which can run on Linux or Windows. Often, a spare PC with a decent-sized hard drive will do fine. Snort can dump suspicious looking traffic to log files, after which you can set up any of several free alerting tools to monitor the log files, and email or page you when such traffic is detected.

Second, you must have a way to analyze system security logs. Working your way in from the border of your network, make sure your border router is configured to send syslog messages to a server you can access from inside your network. Some firewalls can send syslog messages as well, which you can direct to the same internal server. Also, make sure servers in your demilitarized zone (DMZ) are either accessible from the inside, or configure their event logs to point to an internal server. Making these configuration changes to routers, firewalls and servers is not as difficult as it seems, and usually takes just a few commands or mouse clicks.

Once all log files are accessible, it's time to install a free alerting tool or write your own. If you're interested in writing your own alerting tool, Batch, Perl or other free scripting tools can be used to execute parsing commands, such as the Windows "find" command or the Unix "grep" command. This can help to find suspicious-looking activity in log files from both Snort and your server, router and firewall security logs. A free email program, such as Blat, can then be used to send log entries to a pager, cell phone or email address.

This is definitely a crash course in developing a budget alerting system, but you'll be surprised at how well such a system can provide alerts to potentially malicious events, like port scans and failed login attempts, at an extremely low cost.

About the author
Vernon Haberstetzer, president of security seminar and consulting company i.e.security, has seven years of in-the-trenches security experience in healthcare and retail environments.



  Introduction: Hacker attack tactics
  How to stop hacker theft
  Hacker system fingerprinting, probing
  Using network intrusion detection tools
  Avoid physical security threats
  Authentication system security weaknesses
  Improve your access request process
  Social engineering hacker attack tactics
  Secure remote access points
  Securing your Web sever
  Wireless security basics
  How to tell if you've been hacked


This was first published in January 2005

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.