RE: review host based intrusion detection sytems

To: "'Dan MacNeil'" <omacneil@brave.cs.uml.edu>, <debian-isp@lists.debian.org>
Subject: RE: review host based intrusion detection sytems
From: "Dan Udey" <disp@cdslash.net>
Date: Sun, 22 Jun 2003 11:11:17 -0300
Message-id: <[🔎] 20030622141009.RDCI22805.simmts2-srv.bellnexxia.net@atlantis>
In-reply-to: <[🔎] Pine.LNX.4.44.0306211310310.335-100000@brave.cs.uml.edu>

> We're setting up 3 new servers and I want to have an 
> intrusion detection database.
> 
> Ease of use is much, much more important then perfect security.
> 
> A while back we installed tripwire from tarball on one system 
> but let it get out of date. At another job, they had a 
> homegrown system that is very cumbersome,--lots and lots of 
> false alarms and a pain to update.
> 
> Of course it would be extra valuable if you could compare and 
> contrast two or more of these packages.

I've been going on a major security crackdown of the main webserver
I deal with. Here's some of the stuff I installed:

Tiger - Security scans emailed to you on some schedule I haven't
        figured out yet. Tiger has warned me about all kinds of
        things - among other things, it checks for open unprivileged
        ports run by users, it compares MD5sums included in .deb files
        against the files, and can warn you about changes, and it can
        warn you about installed files that weren't installed by a Debian
        package. A good first start.

Snort - Detects intrusion attempts. Since installing it, I've gotten between
        400 and 600 attack attempts per day. It's a little overwhelming,
unless
        you set up snort-mysql (or pgsql) and acidlab. If you can put the
machine
        in promiscuous mode so it can capture all data on the segment, it
will notice
        attacks directed from anyone to anyone. Very handy.

Acidlab - Takes snort-mysql logs and displays them in an easily looked-at
manner.
          Portscan attempts, scanning for bad CGIs, default.ida attempts,
and so on.

Logcheck - After you tweak it to fit your local system, it's very valuable
in telling
           you what's been happening and where. Anything that goes through
your logs
           can be logged or ignored by egrep regexes. Handy.

I'm still paranoid, but I've managed to avoid getting fascist on my users
while still
being aware of 99% of what goes on with this system. Anything incoming or
outgoing gets
logged, anything that gets logged gets emailed to me, and anything that
changes sets off
an alert. Not perfect, but good. It did take a while to set up (if you set
everything up
all at once, you'd probably be looking at a week or two to get everything
configured),
but it was worth it for that extra peace of mind when I go away for vacation
for a week.

It doesn't answer your question, but maybe it'll be helpful anyway.

--Dan

Reply to:

References:
- review host based intrusion detection sytems
  - From: Dan MacNeil <omacneil@brave.cs.uml.edu>

Prev by Date: Re: review host based intrusion detection sytems
Next by Date: Re: proxy help
Previous by thread: Re: review host based intrusion detection sytems
Next by thread: Re: review host based intrusion detection sytems
Index(es):
- Date
- Thread