2005-07-11
IPAudit is a handy tool that will allow you to analyze all packets entering and leaving your network. It listens to a network device in promiscuous mode, just as an IDS sensor would, and provides details on hosts, ports, and protocols. It can be used to monitor bandwidth, connection pairs, detect compromises, discover botnets, and see whos scanning your network. When compared to similar tools, such as Cisco System's Netflow it has many advantages (see the SecurityFocus articles on Netflow, part 1 and part 2). It is easier to setup than Netflow, and if you install it on your existing IDS sensors, there is no extra hardware to purchase. Since it captures traffic from a span port, it does not require that you modify the configuration of your networking equipment, or poke holes in firewalls for Netflow data.
Packet analysis tools like IPAudit help fill the gaps left by an IDS system or an IPS system. How does it do this? An IDS looks for certain signatures or behavior and can alert and log. An IPS looks for the same anomalies but can prevent the attack. Both of these technologies can greatly increase the security of your network -- however, what happens if they miss an attack? How would you know? Even if the IDS sensor matches a packet, a machine can still become compromised. When this happens how do you tell what happened on the network after the compromise? IPAudit can help fill the gaps, in addition to providing you with useful information about your network beyond specific security events. It is most often used by universities where its primary role is to identify who is using the most bandwidth. The author of this article finds it to be useful for all organizations; in fact, many corporate customers will also recognize the benefits and incorporate it into their security tool arsenal.Installation and configuration
IPAudit is a perl-based application written by John Rifkin at the University Of Connecticut. It can be downloaded from Sourceforge and is licensed under the GNU GPL. IPAudit is a command line tool that uses the libpcap library to listen to traffic and generate data. The IPAudit-Web package includes the IPAudit binary in addition to the web interface that creates reports based on the collected data. Using the Web package is recommended, as it gives you a slick graphical interface complete with traffic charts and a search feature.You will need to have a Linux or Unix system setup with the libpcap library installed. The latest version can be downloaded from tcpdump.org. In addition to libpcap, you will need Perl, Apache, GNUplot, and a perl module called "Time::ParseDate". Refer to your Linux distribution's documentation for more information on how to install these packages (here's a tip: In Debian Linux, execute the command 'apt-get install libtime-modules-perl' to install Time::ParseDate). Once you have installed these packages you are ready to begin installing IPAudit:
Step 1 - Become root on your system and create a user called "ipaudit". It will need a valid shell and home directory (typically /home/ipaudit, which will be used in this article for simplicity). Now switch to the newly created "ipaudit" user.
Step 2 - Download and unpack the ipaudit-web tarball:
Step 3 - Change to the compile directory:
Step 4 - Execute the configure script and run make:
$ make
Step 5 - Become root and execute the make install commands:
Password:
# make install
# make install-cron
# exit (Leave root and become ipaudit user again)
$
Step 6 - Now you will need to edit /home/ipaudit/ipaudit-web.conf
LOCALRANGE=127.0.0
#
#
INTERFACE=eth1
#
Change the LOCALRANGE variable to your local subnet on the inside of your network. Also be certain to set the INTERFACE variable to the interface that you have setup to capture the desired traffic on your network.
Step 7 - Add the following lines to your Apache httpd.conf file if they do not already exist:
AllowOverride All
Options MultiViews Indexes Includes FollowSymLinks
Order allow,deny
Allow from all
</Directory>
<Directory /home/*/public_html/cgi-bin>
Options +ExecCGI -Includes -Indexes
SetHandler cgi-script
</Directory>
Note that your Apache server may already contain configuration similar to the above for the "/home/*/public_html" directory. If you do not plan to use the Userdir module for anything other than IPAudit, it is suggested that you comment out the original configuration and replacing it with the configuration above.
