Product SiteDocumentation Site

B.3. Configurando um IDS stand-alone

You can easily set up a dedicated Debian system as a stand-alone Intrusion Detection System using snort and a web-based interface to analyse the intrusion detection alerts:
  • Instale um sistema Debian base e não selecione nenhum pacote adicional.
  • Install one of the Snort versions with database support and configure the IDS to log alerts into the database.
  • Download and install BASE (Basic Analysis and Security Engine), or ACID (Analysis Console for Intrusion Databases). Configure it to use the same database than Snort.
  • Download and install the necessary packages[74].
BASE is currently packaged for Debian in acidbase and ACID is packaged as acidlab[75]. Both provide a graphical WWW interface to Snort's output.
Besides the base installation you will also need a web server (such as apache), a PHP interpreter and a relational database (such postgresql or mysql) where Snort will store its alerts.
Este sistema deve ser configurado com pelo menos duas interfaces de rede; uma interface conectada ao gerenciamento da LAN (para acessar os resultados e suporte do sistema), e outra interface sem nenhum endereço IP anexada ao segmento de rede a ser analisado.
You should configure both interfaces in the standard Debian /etc/network/interfaces configuration file. One (the management LAN) address can be configured as you would normally do. The other interface needs to be configured so that it is started up when the system boots, but with no interface address. You can use the following interface definition:
auto eth0
iface eth0 inet manual
      up ifconfig $IFACE up
      up ip link set $IFACE promisc on
      down ip link set $IFACE promisc off
      down ifconfig $IFACE down
The above configures an interface to read all the traffic on the network in a stealth-type configuration. This prevents the NIDS system to be a direct target in a hostile network since the sensors have no IP address on the network. Notice, however, that there have been known bugs over time in sensors part of NIDS (for example see related to Snort) and remote buffer overflows might even be triggered by network packet processing.
You might also want to read the and the documentation available at the

[74] Typically the needed packages will be installed through the dependencies