[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: review host based intrusion detection sytems

> We're setting up 3 new servers and I want to have an 
> intrusion detection database.
> Ease of use is much, much more important then perfect security.
> A while back we installed tripwire from tarball on one system 
> but let it get out of date. At another job, they had a 
> homegrown system that is very cumbersome,--lots and lots of 
> false alarms and a pain to update.
> Of course it would be extra valuable if you could compare and 
> contrast two or more of these packages.

I've been going on a major security crackdown of the main webserver
I deal with. Here's some of the stuff I installed:

Tiger - Security scans emailed to you on some schedule I haven't
        figured out yet. Tiger has warned me about all kinds of
        things - among other things, it checks for open unprivileged
        ports run by users, it compares MD5sums included in .deb files
        against the files, and can warn you about changes, and it can
        warn you about installed files that weren't installed by a Debian
        package. A good first start.

Snort - Detects intrusion attempts. Since installing it, I've gotten between
        400 and 600 attack attempts per day. It's a little overwhelming,
        you set up snort-mysql (or pgsql) and acidlab. If you can put the
        in promiscuous mode so it can capture all data on the segment, it
will notice
        attacks directed from anyone to anyone. Very handy.

Acidlab - Takes snort-mysql logs and displays them in an easily looked-at
          Portscan attempts, scanning for bad CGIs, default.ida attempts,
and so on.

Logcheck - After you tweak it to fit your local system, it's very valuable
in telling
           you what's been happening and where. Anything that goes through
your logs
           can be logged or ignored by egrep regexes. Handy.

I'm still paranoid, but I've managed to avoid getting fascist on my users
while still
being aware of 99% of what goes on with this system. Anything incoming or
outgoing gets
logged, anything that gets logged gets emailed to me, and anything that
changes sets off
an alert. Not perfect, but good. It did take a while to set up (if you set
everything up
all at once, you'd probably be looking at a week or two to get everything
but it was worth it for that extra peace of mind when I go away for vacation
for a week.

It doesn't answer your question, but maybe it'll be helpful anyway.


Reply to: