======================================================================== Firestorm v0.5.x - A Network Intrusion Detection System Copyright (c) 2002 Gianni Tedesco This software is released under the GNU GPL version 2 (see: COPYING) ======================================================================== 0x0. Contents ------------- 0x0. Contents 0x1. Introduction 0x2. Compiling From Source Code 0x3. Configuring the Firestorm Sensor 0x4. Configuring for Your Network 0x5. Starting Firestorm 0x6. Viewing firestorms Logs 0x7. Advanced Configuration 0x8. Known Bugs 0x9. Reporting Bugs 0xa. Package Locations 0xb. Feature List 0xc. Supported Protocols 0x1. Introduction ----------------- Firestorm is an extremely high performance network intrusion detection system (NIDS). At the moment it just a sensor but plans are to include real support for analysis, reporting, remote console and on-the-fly sensor configuration. It is fully pluggable and hence extremely flexible. At the moment firestorm is still in early development, but a lot of the features you would expect of a sensor are already there. 0x2. Compiling From Source Code ------------------------------- If you have installed from a binary package (such as RPM) you can skip straight to step 3. I will assume that you already have the source code unpacked in a directory somewhere and you are in that directory. You don't need to be root to compile firestorm, but you will need root access if you want to install it. The first step is to compile firestorm and all of its plugins by issuing the following command at the prompt: $ ./configure --sysconfdir=/etc && make Other options you may wish to pass to configure include: --enable-gnome --with-libpcap-includes=DIR --with-libpcap-libraries=DIR After this step completes successfully you will need to su to root to install it. The following command should do just that: $ su -c "make install" Now all firestorm needs is a user on your system to run as (Firestorm never runs as root). Type the following commands when logged in as root: # groupadd fstorm # useradd -M -s /bin/false -d /var/lib/firestorm -g fstorm fstorm # chown -R fstorm.fstorm /var/lib/firestorm There will now be a user and a group on your system named 'fstorm'. If you want to uninstall firestorm at some later date that is easy to do. Type the following commands from your source dir. # make uninstall # userdel fstorm # groupdel fstorm 0x3. Configuring the Firestorm Sensor ------------------------------------- For this step you will need to be logged in as root. You can issue the following command at the terminal to become root. $ su - Your shell prompt should change from a $ to a # - this means you now have the almighty power of root. Open the firestorm configuration file in your favourite editor: # vi /etc/firestorm.conf The default config file should be pretty well commented. Probably the the first thing you will want to change is where firestorm captures packets from. The default line should look something like: capture pcap if='any' This instructs firestorm to capture packets from all configured network interfaces using the libpcap library. Most installations will want to use a specific interface. To capture from a specific interface (eg: eth0) using promiscuous mode change the line to: capture pcap if='eth0' promisc=true 0x4. Configuring for Your Network --------------------------------- Firestorm needs to know a few small details about your network in order to more efficiently be able to detect attackers. Open the file /var/lib/firestorm/firestorm.rules in your favourite text editor. You will see a snort rule file which defines a number of variables. The main variables that you really need to set are HOME_NET and EXTERNAL_NET. HOME_NET should be set to the address (in CIDR notation) of your network. For example if all your computers IP addresses are in the range 10.0.0.1 to 10.255.255.254 you would need to modify the HOME_NET line to look something like this: var HOME_NET 10.0.0.0/8 The external net defaults to being !$HOME_NET, meaning anything that isn't HOME_NET is external to us. Most of the signatures that ship with firestorm will only alert on attacks coming from EXTERNAL_NET going to HOME_NET. The default choice is often best here. Custom snort rules can also be added to the end of this file. NOTE: You don't actually have to use CIDR notation, you can if you prefer use address/mask notation. An example, if your network address is 192.168.0.0 and your netmask is 255.255.255.0 you can do: var HOME_NET 192.168.0.0/255.255.255.0 0x5. Starting Firestorm ----------------------- To begin monitoring your network simply type the following command at the terminal while logged in as root: # firestorm-nids Firestorm should now be up and running successfully. You can view firestorms status log using the following command. # less /var/lib/firestorm/firestorm.log You can shutdown firestorm cleanly by sending SIGTERM thus: # killall firestorm-nids Now that you have firestorm up and running please report success to the firestorm mailing list - If at this point something doesn't work see section 0x9 - reporting bugs. 0x6. Viewing firestorms Logs ---------------------------- By default firestorm will log alerts in to: /var/lib/firestorm/log/alert.elog When the file gets too old (60mins) or too big (1024KB) firestorm will rotate it with a unique filename beginning with '@'. In order to view these logfiles you will need to use the 'firecat' tool. Here is a usage example (you can also type firecat --help): # firecat -f ascii -o nohex alert.elog This will print the contents of alert.elog to screen using the 'ascii' output plugin. There are more output plugins to choose from, help for using them can be obtained by running: # firecat -h Note that alert.elog is not always up to date, you can force a log rotation by sending the HUP signal to the firestorm-nids process: # killall -HUP firestorm-nids 0x7. Advanced Configuration --------------------------- For linux systems with CONFIG_MMAP_PACKET_SOCKET in the kernel you can replace 'pcap' with 'linux' in your /etc/firestorm.conf capture line and add a new parameter 'blocks'. This will allow firestorm to run much more efficiently. The line should look something like: capture linux if='any' blocks=1024 Where blocks is a suitably large number depending on how much RAM you want to use up for your machine. Check the messages file to see what the blocks value translates to in kilobytes of RAM (it depends on the MTU of the interface selected). 0x8. Known Bugs --------------- There is no way of keeping the size of the log directory down currently. This will change over the next few versions with the onset of remote logging functionality. There is no mtu detection unless using linux capture device. For pcap one must specify the mtu=XXX option. 0x9. Reporting bugs ------------------- You should send a description of your problem to the mailing list . If you can provide a configuration and a tcpdump file which can reproduce the problem, then chances are your problem can be fixed very quickly. You should also think about including all the relevent configs such as: /etc/firestorm.conf /var/lib/firestorm/firestorm.log /var/lib/firestorm/firestorm.rules You should also include information such as which version of firestorm you are using and on what operating system and version. For compile time errors you may want to report the compiler and version. In general supply any information you think we might need to reproduce the problem. 0xa. Package locations ---------------------- Source code: http://www.scaramanga.co.uk/firestorm/vX.Y.Z/firestorm-X.Y.Z.tar.gz SRPM package: http://www.scaramanga.co.uk/firestorm/vX.Y.Z/firestorm-X.Y.Z-1.src.rpm RPM package (i386/Linux): http://www.scaramanga.co.uk/firestorm/vX.Y.Z/firestorm-X.Y.Z-1.i386.rpm APT repository: deb http://www.scaramanga.co.uk/ scaramanga main deb-src http://www.scaramanga.co.uk/ scaramanga main 0xb. Feature List ----------------- Protocol anomaly detection Full application layer decodes Fully pluggable Capture from network via libpcap High performance OS specific capture module for Linux Capture from libpcap files (normal AND redhat extended) Packet decode engine fully supports encapsulation Decode plugins included for many protocols (see below) Comprehensive snort rule support Wu-Manber setwise string matching Easy to configure; just one config file Can run chroot and with lowered privs (when started as root) Can run as a realtime process (when started as root) Preprocessors to allow supplementary modes of detection (eg: anomaly) Full IP defragmentation (passes fragroute evasion tests) TCP stateful inspection with window tracking HTTP URL normalization Intelligent TCP stream reassembly EXTREMELY fast and scalable signature engine Configurable token-bucket rate-limiting of all alerts GNOME2 based analyst console user interface Enhanced logging format for ease of analysis ELOG indexing for lightning fast sorting and filtering of alerts 0xc. Supported Protocols ------------------------ TCP/IP Suite (IPv4,TCP,UDP,ICMP,IGMP) 802.1q (vlan) Can differentiate EthernetII and 802.3 and novell IPX frames Can decode LLC and SNAP in 802.3 IPX, SAP Linux cooked sockets (SLL) in two different formats GRE (generic routing incapsulation) IrDA (infra-red) ARP/Appletalk ARP