RE: review host based intrusion detection sytems
> We're setting up 3 new servers and I want to have an
> intrusion detection database.
> Ease of use is much, much more important then perfect security.
> A while back we installed tripwire from tarball on one system
> but let it get out of date. At another job, they had a
> homegrown system that is very cumbersome,--lots and lots of
> false alarms and a pain to update.
> Of course it would be extra valuable if you could compare and
> contrast two or more of these packages.
I've been going on a major security crackdown of the main webserver
I deal with. Here's some of the stuff I installed:
Tiger - Security scans emailed to you on some schedule I haven't
figured out yet. Tiger has warned me about all kinds of
things - among other things, it checks for open unprivileged
ports run by users, it compares MD5sums included in .deb files
against the files, and can warn you about changes, and it can
warn you about installed files that weren't installed by a Debian
package. A good first start.
Snort - Detects intrusion attempts. Since installing it, I've gotten between
400 and 600 attack attempts per day. It's a little overwhelming,
you set up snort-mysql (or pgsql) and acidlab. If you can put the
in promiscuous mode so it can capture all data on the segment, it
attacks directed from anyone to anyone. Very handy.
Acidlab - Takes snort-mysql logs and displays them in an easily looked-at
Portscan attempts, scanning for bad CGIs, default.ida attempts,
and so on.
Logcheck - After you tweak it to fit your local system, it's very valuable
you what's been happening and where. Anything that goes through
can be logged or ignored by egrep regexes. Handy.
I'm still paranoid, but I've managed to avoid getting fascist on my users
being aware of 99% of what goes on with this system. Anything incoming or
logged, anything that gets logged gets emailed to me, and anything that
changes sets off
an alert. Not perfect, but good. It did take a while to set up (if you set
all at once, you'd probably be looking at a week or two to get everything
but it was worth it for that extra peace of mind when I go away for vacation
for a week.
It doesn't answer your question, but maybe it'll be helpful anyway.