WP4 Type 3 Statistics: IDS Sensor Userguide
POPPIX is a collection of security-related tools with a
curses-based gui. It comes on a bootable Linux CD-ROM and is
based upon a recent
Within eCSIRT.net it is used to deploy a number of intrusion detection
sensors in order to monitor internet background noise (attacks, worms
etc.). The monitored events are logged to a central server (using
authenticated SSL connections) and are evaluated for generation
of statistics. For this purpose the following services are provided:
- crypntp: a secure implementation of the network time protocol (NTP).
This is to ensure that the logged events of all deployed sensors
are using the same time. Source: http://www.ntp.org/
- honeyd: a honeypot daemon that is able to emulate some network
services. The honeyd is used to actually answer connections
so they are visible to the IDS sensor. Source: http://www.citi.umich.edu/u/provos/honeyd/
- pnids: prelude-nids, the network based sensor of the
intrusion-detection-system PRELUDE. Source: http://www.prelude-ids.org
POPPIX is released under the GPL. Contributions are more
The POPPIX IDS sensor requires all of the following:
- i386 (or better) with a bootable CD-ROM device and
a network interface
- direct internet access via TCP/IP (NAT will not work)
- 2 IP-addresses (1 to be attacked, 1 to communicate
with the time-server, to log attack-data etc.)
There exists an ISO-image for the bootable CD. You may receive
the image upon request.
An initial image for a 1.44 MB floppy disk is mailed to the
Please keep this image as it contains all the keys and certificates
necessary for the POPPIX IDS sensor to work.
The following steps are necessary to get a working POPPIX installation:
- Get the ISO-Image of the POPPIX-CDROM. Burn it on a CD.
- Get the floppy image with the keys, certificates and
the configuration menues. Unpack it onto a floppy disk
using any zip-utility at hand (on Unix systems it is usually
- Set the hardware clock of the system to an approximately correct
time. The configured ntp service will provide a very precise time
a few minutes after startup, but messages logged before will
have a wrong time stamp otherwise.
- Boot from CD. The floppy is not bootable. But once Linux
has been started via the CD, it will look for the configuration
menu and startup script on the floppy
automatically. The floppy musn't be write-protected.
- If the automatic start-up of POPPIX from the floppy fails, log
in as root, cd into /mnt/floppy and issue
- Once POPPIX has been started, you have to setup your specific
network parameters via the menu Setup->Networks->Add.
- The IP-address to be given to the first interface
(theoretically POPPIX supports as many as you like) has to be
the address designated for communications.
- You don't have to activate any network-interface. This will
be done automatically when leaving POPPIX.
- Unfortunately DHCP doesn't work (yet), eaven though if you
might see it someplace.
- WLAN-interfaces are not supported.
- The next step is setting up the so called 'services' (e.g.
honeyd, pnids, cryptntp).
- The defaults should be okay (i.e. each service should
in deed be started etc.)
- Both prelude (aka pnids) as well as honeyd have to be told
which IP-address to monitor or to emulate servers on
respectively. You have to enter the same IP-address for pnids
and honeyd. This IP has to be different from the
communication-IP, mentioned above.
- After having setup everything, select 'Exit' from the main menu.
POPPIX will ask you whether it should proceed to write
configuration files, start the services etc. Remember,
currently POPPIX will not touch your harddisk, if booted
from CD. So don't be too shy.
- Make sure that your firewall does not block the services
of the sensor. This means:
- Enable all incoming traffic to the IP-address to be
- Enable all outgoing traffic from the IP-address to
- Enable TCP traffic (incoming and outgoing) between
the systems IP-address (any port) and the
IDS manager ip5.pre-secure.de (port 5554).
- Enable UDP traffic (incoming and outgoing) between
the systems IP-address (any port) and the
timeserver time.pre-secure.de (port 123).
If everything works well, you should be able to the following tests:
- Look into the log messages of the started processes on
console /dev/tty8 (switch back and forth via ALT-F8 and
ALT-F1). There should be some messages like the following:
prelude-nids: - SSL authentication succeeded with Prelude Manager.
prelude-nids: - Initializing packet capture.
ntpd: peer 220.127.116.11 event 'event_reach' (0x84) status 'unreach, conf, auth, 1 event, event_reach (0xe014)'
ntpd: time reset -5.017380 s.
- Point your webbrowser to the
of the IDS (access limited to participating members).
When the first attacks are reported, they will
appear in the alert list. For better control you may
select the filter for your own team and click on
If you have trouble to log in as user "root", keep in mind that
POPPIX uses an american keyboard layout. If anything else goes
wrong, you can have a look at:
- The file /tmp/pst.log, where you will find some information about
what POPPIX is doing.
- Syslog. It's not logging to a real file, but to the virtual
console /dev/tty8 (switch back and forth via STRG-F8 and STRG-F1).
Currently syslog logs everything.
On the basis of the collected data of all sensors some generic statistics
are generated. These show results on the accumulated data of all
sensors. The number of alerts of some main classes are displayed
as well as some more complex statistics on the number of attacks
per attacker and the number of sensors that were attacked by the
statistics of the sensors can be found here.
In contrast to the generalized public statistcs the charts of internal
statistics retain the relation of the alerts to the single sensors.
So each participating team is able to see the number of alerts
logged by its own sensor.
- Release 1.0, December 2003 First Release