So, you have decided to setup some Intrusion Detection System(IDS) on your FreeBSD system. Well, I think that is an excellent idea, especially in todays scriptkiddies world. But which system to choose there must be at least a zillion differnet IDS' out there, and then can each provide you with another zillion functionalities...
I have looked at a lot of them, and come to the conclusion that all the features in the world is NOT
going to make your IDS more prepared when the shit hits the fan. And trust me... one day it will...
I have chosen to use snort as IDS scanner. Basically the way it works, is that it has a lot of rules (like a firewall), and it is matching those rules against the traffic it is sniffing off your network interface. Snort comes with a bunch of predefined rules, with a lot of various patterns. If this is not enough for you, you can also right your own rules, which is what makes snort so cool.
Snort can log it's information to your basic /var/log/whatever, but it also comes with builtin support for logging to postgreSQL and mySQL database systems. Which is kinda neat, because often it is not a good idea to log locally on the machine, because if the machine has been compromised there is nothing stopping the intruder from modifying the log data. That is why you should always log IDS data on a another host.
I have decided to use postgreSQL as logging device for snort. And as for showing the data, and action handler I have chosen to use ACID. I like ACID because of it's simplicity, although it is nothing but simple when you get under the hood.
Let us assume you are going to log your IDS data on another host on your network. So for this to work we will assume that you have to running FreeBSD boxes.
The logging machine, let's call it: dblog.myhost.com
We will also assume that you are running snort on your firewall. Let's call that: fw.myhost.com
On dblog go to the ports collection and install postgreSQL:
luser@dblog /~# su - (type in password) su~@dblog /# cd /usr/ports/databases/postgresql7 su~@dblog /postgresql7# make all install clean
At this point you will be asked to choose which options you want enabled in postgreSQL. Unless you have a specific purpose for your database system, just de-select all and click 'OK'