Welcome!

Linux Authors: Michael Sheehan, Lavenya Dilip, Ian Thain, Bruce Armstrong, Ellen Rubin

Related Topics: Linux

Linux: Article

How to install PureSecure, the painless IDS

Need an Intrusion Detection System in 20 minutes? Try PureSecure
By Joe Barr
Article Rating:
April 30, 2002 12:00 AM EDT
Reads:
 17,241

(LinuxWorld) -- A few readers felt I missed the mark with my piece on ACID, the Analysis Console for Intrusion Databases I wrote about a couple of weeks ago. (See Resources for a link.) To correct that situation, this week look at the PureSecure Total Intrusion Detection System from Demarc. By the way, while ACID is free software (as in speech), Demarc's PureSecure is not. There is a free version for non-commercial use, but that is free as in beer, not free as in speech.

There are more differences between ACID and PureSecure than just the license. PureSecure is much more polished, more complete, and more full-featured than its free software counterpart.

After registering on the Demarc Web site, I received a password via e-mail that allowed me to download the personal version of PureSecure. After reading the 3,000-word license, I determined since I planned to use the product to write about it, and since I am paid for writing, I did not qualify as a non-commercial user. However, the free 30-day evaluation period for commercial users allowed me to continue. My point is this: Read the license. This is not free software. Don't worry about missing your chance to read the license, since Demarc gives you several opportunities.

The first major difference I noticed between PureSecure and ACID was the installation. The most time-consuming part of the ACID installation is getting the prerequisites -- Apache, MySQL, and SNORT in my case -- configured and installed correctly. PureSecure takes care of all those for you.

Getting started

I untarred the download file as root in the /usr/local directory. That created a puresecure-1.6 directory with three subdirectories: console, install, and sensor. In the install directory I found another copy of the license, a configure script, some database scripts, and a documentation directory. An INSTALL text is the only thing in the documentation directory.

Per the directions in the INSTALL text, I removed all traces of Apache and MySQL from my system before proceeding. Then I moved the entire puresecure-1.6 directory structure to /usr/local/puresecure. Then I changed to the /usr/local/puresecure/install directory and executed the configuration script.

Note this approach is not mandatory. You can bypass the Apache and MySQL installation and use existing installations. Demarc recommends this course of action to make sure that all files and programs are as PureSecure needs them.

The script is interactive all the way through. Once again, I was presented with the license and asked if I accepted its terms. Another questions it asked was whether or not it should check for the latest fixings. I replied y and it was off to the races. It took about 10 minutes to download, compile, and install MySQL on my 1-GHz Athlon system with a cable-modem connection to the Internet. SNORT took about 2 minutes. Then Apache -- with mod_perl and mod-ssl -- took another eight.

After answering a few more questions (device name, sensor name, IP address, passwords, usernames, and a few others) I was done. Scarcely more than 20 minutes from the start and I was ready to rock and roll.

Installing the dragnet

Then I pointed my browser at http://localhost/Demarc/PureSecure and was greeted by an attractive logon screen. The license had to be accepted for the third time during the first sign-on. Demarc is serious about its license. As more and more Microsoft customers can testify every day, we all should be careful of the terms we agree to when accepting a license.

Once you've logged in, the PureSecure Summary screen appears. As you can see from the image below, it's very busy. Across the top is a menu bar that lets you change to one of five other major functions: events, monitor, integrity, search, or configure.

PureSecure Summary Screen (Click to see a larger image)

The configuration screen gives you a good idea of why PureSecure refers to itself as a "Total Intrusion Detection System." That's not a misnomer. PureSecure does a lot more than put a pretty face on database analysis of SNORT alerts.

It allows you to configure the rule sets being used by SNORT, for example, to classify the rule sets and assign them priorities, and to set the alert notification rules. But wait, there's more! You can also define hosts or groups for monitoring, add services to be monitored, and specify the notification when monitored hosts or services crash. You may create rules to allow system integrity to be checked on a regular basis, and of course, to do general PureSecure maintenance as well by adding or removing PureSecure authorized users, purging the database to speed access, or adding or changing sensors.

From any of the six main screens, you can drill down as deeply as required to get to the information desired. On the summary screen, for example, under the "Last 6 Network Events" you can click on the signature, the source IP address, or the destination IP address for more info. Clicking on the "SCAN Proxy Attempt" signature of the topmost event brings up a screen with a whole host of new options. From it, you can find the signature in the rule sets, or perform a Whois, Trace, Ping, or DNS for the source or destination IP address.

There is no 'the man'

I spoke briefly with Max Houston, one of the principals at Demarc Security, makers of PureSecure. Houston told me that Demarc (pronounced Dee Mark) was originally more of a project than anything else, put together by a bunch of guys who wanted to see all the most useful security tools in a single console. The goal was to protect Demarc's own servers. Since then, Houston said, it has grown into something that is "very much commercially viable and useful to the general public."

I asked who "the man" was in the six or eight full-timers associated with Demarc and Houston told me "There is no 'the man.' It's more of a grouping." And sales of PureSecure? Houston said "We were doing OK with the old version, but the new one (version 1.6) has really taken off."

PureSecure is pure overkill for my limited needs, but I am a big fan of well-done installations and full functionality. PureSecure comes with both. To my novice security eyes, it has "winner" written all over it. Nice documentation, too. If you are in the market for a state of the art IDS, this hybrid of open source and proprietary code is definitely worth your time to investigate.

Published April 30, 2002 – Reads 17,241
Copyright © 2002 SYS-CON Media, Inc. — All Rights Reserved.
Syndicated stories and blog feeds, all rights reserved by the author.

More Stories By Joe Barr

Joe Barr is a freelance journalist covering Linux, open source and network security. His 'Version Control' column has been a regular feature of Linux.SYS-CON.com since its inception. As far as we know, he is the only living journalist whose works have appeared both in phrack, the legendary underground zine, and IBM Personal Systems Magazine.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.