Debian
 » 
Debian Security

Recommend good IDS? was Re: /dev/shm/r?

View: New views
9 Messages — Rating Filter:   Alert me  

Recommend good IDS? was Re: /dev/shm/r?

by john -3 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

On Tue, Jun 2, 2009 at 4:45 PM, Josh Lauricha <josh@...> wrote:
> I'm surprised more people aren't running tripwire or other IDS.

I'd be interested to hear some recommendations for IDS to run on
internet facing servers. Especially from the point of view of ease of
installation, ease of maintenance, quality of the tool, and ability to
have it deliver really useful information to the admin. I've used
SNORT a bit in the past and my feeling was that it was so chatty that
it was actually hard to tell if something bad was happening or not.

John


--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...


Re: Recommend good IDS? was Re: /dev/shm/r?

by Boyd Stephen Smith Jr.-3 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

In <2be970b50906030853t29dfb90atd60089611f98e336@...>, john
wrote:
>On Tue, Jun 2, 2009 at 4:45 PM, Josh Lauricha <josh@...> wrote:
>> I'm surprised more people aren't running tripwire or other IDS.
>
>I'd be interested to hear some recommendations for IDS to run on
>internet facing servers.

I inherited a tripwire installation at some point.  It was one mail message
per day (and if you didn't get that message you knew something was wrong).

It required a bit of tuning to not report errors regularly, but once I spent
that time it was fairly hands-off.
--
Boyd Stephen Smith Jr.           ,= ,-_-. =.
bss@...             ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-'
http://iguanasuicide.net/            \_/



signature.asc (204 bytes) Download Attachment

Re: Recommend good IDS? was Re: /dev/shm/r?

by Rick Moen :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Quoting Boyd Stephen Smith Jr. (bss@...):

> I inherited a tripwire installation at some point.  It was one mail message
> per day (and if you didn't get that message you knew something was wrong).
>
> It required a bit of tuning to not report errors regularly, but once I spent
> that time it was fairly hands-off.

One way to use Tripwire in conjunction with a slightly more modern and
lightweight file-based IDS alongside it:
http://linuxgazette.net/issue98/moen.html

(That article is not, however, a comparative review, which is apparently
what the original poster is seeking.)

--
Cheers,                      Notice:  The value of your Hofstadter's Constant
Rick Moen                    (the average amount of time you spend each month
rick@...          thinking about Hofstadter's Constant) has just
McQ!  (4x80)                 been adjusted upwards.


--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...


Re: Recommend good IDS? was Re: /dev/shm/r?

by Steven Brunasso :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Remember, that a HIDS (host IDS) is just a detective control on the  
host.  It shows that you have been hacked, you will probably want a  
good NIDS (network IDS) to see what attacks are being attempted over  
the wire.

HIDS is good to quickly detect a compromise...


http://sourceforge.net/projects/aide
http://packages.debian.org/search?keywords=aide



On Jun 3, 2009, at 9:55 AM, Boyd Stephen Smith Jr. wrote:

> In <2be970b50906030853t29dfb90atd60089611f98e336@...>, john
> wrote:
>> On Tue, Jun 2, 2009 at 4:45 PM, Josh Lauricha <josh@...>  
>> wrote:
>>> I'm surprised more people aren't running tripwire or other IDS.
>>
>> I'd be interested to hear some recommendations for IDS to run on
>> internet facing servers.
>
> I inherited a tripwire installation at some point.  It was one mail  
> message
> per day (and if you didn't get that message you knew something was  
> wrong).
>
> It required a bit of tuning to not report errors regularly, but once  
> I spent
> that time it was fairly hands-off.
> --
> Boyd Stephen Smith Jr.           ,= ,-_-. =.
> bss@...             ((_/)o o(\_))
> ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-'
> http://iguanasuicide.net/            \_/
>


--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...


Re: Recommend good IDS? was Re: /dev/shm/r?

by Izak Burger :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

On Wed, Jun 3, 2009 at 5:53 PM, john <lists.john@...> wrote:
> I'd be interested to hear some recommendations for IDS to run on
> internet facing servers. Especially from the point of view of ease of
> installation, ease of maintenance, quality of the tool, and ability to
> have it deliver really useful information to the admin. I've used
> SNORT a bit in the past and my feeling was that it was so chatty that
> it was actually hard to tell if something bad was happening or not.

We use aide.


--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...


Re: Recommend good IDS? was Re: /dev/shm/r?

by Nikolai Lusan-2 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

On Wed, 2009-06-03 at 08:53 -0700, john wrote:
> On Tue, Jun 2, 2009 at 4:45 PM, Josh Lauricha <josh@...> wrote:
> > I'm surprised more people aren't running tripwire or other IDS.
> I'd be interested to hear some recommendations for IDS to run on
> internet facing servers. Especially from the point of view of ease of
> installation, ease of maintenance, quality of the tool, and ability to
> have it deliver really useful information to the admin.

It really depends on what you want. I'm using a combination of PADS
(Passive Attack Detection System) and fail2ban ... these can both be run
on either a host or a router, and integrate with netfilter. You can
customise what they are looking for to report and ban. Fail2ban is good,
it lets me blackhole people attempting nasty things in quick order ...
even better when combined with ipset and a decent firewall setup.
--
Nikolai Lusan <nikolai@...>


--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...


Re: Recommend good IDS? was Re: /dev/shm/r?

by Jeremy Melanson :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

I really like OSSEC. It's licensed under GPL V3. The agent runs on multiple platforms. It's easy to install, relatively easy to configure.
The agent is a self-contained HIDS, rootkit detector, log and file monitor.
It can also decode Snort, Cisco PIX/ASA, IPTables, and a a whole lot of other logs. This means that it can act as a centralized security monitoring and alerting system.
There are tons of other features that I'm not going to mention here.

Oh yeah, and you can get commercial support for it if needed.

-----
Jeremy Melanson



On Wed, 2009-06-03 at 10:14 -0700, Rick Moen wrote: 
Quoting Boyd Stephen Smith Jr. (bss@...):

> I inherited a tripwire installation at some point.  It was one mail message 
> per day (and if you didn't get that message you knew something was wrong).
> 
> It required a bit of tuning to not report errors regularly, but once I spent 
> that time it was fairly hands-off.

One way to use Tripwire in conjunction with a slightly more modern and
lightweight file-based IDS alongside it:
http://linuxgazette.net/issue98/moen.html

(That article is not, however, a comparative review, which is apparently
what the original poster is seeking.)

-- 
Cheers,                      Notice:  The value of your Hofstadter's Constant 
Rick Moen                    (the average amount of time you spend each month 
rick@...          thinking about Hofstadter's Constant) has just 
McQ!  (4x80)                 been adjusted upwards.

Re: Recommend good IDS? was Re: /dev/shm/r?

by Garnett-2 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Hi,

If you run large nuber of hosts, i suggest samhain.
You have many features builtin (monitoring of files, system.map
altering, suid bits, appending only on log files etc.).
It works on client server model (a server who centralize hosts
integrity database).

Communications are secure (AES for ciphering and SRP for authentication).

The deployement procedure is very convenient : you can build samhain
instances on dedicated machines and deploying them on network with a
sing script. Everything done over SSH.

Give it a try ;-)

Ressource : http://la-samhna.de/samhain/


2009/6/3 Jeremy Melanson <jmelanson@...>:

> I really like OSSEC. It's licensed under GPL V3. The agent runs on multiple
> platforms. It's easy to install, relatively easy to configure.
> The agent is a self-contained HIDS, rootkit detector, log and file monitor.
> It can also decode Snort, Cisco PIX/ASA, IPTables, and a a whole lot of
> other logs. This means that it can act as a centralized security monitoring
> and alerting system.
> There are tons of other features that I'm not going to mention here.
>
> Oh yeah, and you can get commercial support for it if needed.
>
> -----
> Jeremy Melanson
>
>
> On Wed, 2009-06-03 at 10:14 -0700, Rick Moen wrote:
>
> Quoting Boyd Stephen Smith Jr. (bss@...):
>
>> I inherited a tripwire installation at some point.  It was one mail
>> message
>> per day (and if you didn't get that message you knew something was wrong).
>>
>> It required a bit of tuning to not report errors regularly, but once I
>> spent
>> that time it was fairly hands-off.
>
> One way to use Tripwire in conjunction with a slightly more modern and
> lightweight file-based IDS alongside it:
> http://linuxgazette.net/issue98/moen.html
>
> (That article is not, however, a comparative review, which is apparently
> what the original poster is seeking.)
>
> --
> Cheers,                      Notice:  The value of your Hofstadter's
> Constant
> Rick Moen                    (the average amount of time you spend each
> month
> rick@...          thinking about Hofstadter's Constant) has just
> McQ!  (4x80)                 been adjusted upwards.
>
>
>


--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...


Re: Recommend good IDS? was Re: /dev/shm/r?

by Alexander Reichle-Schmehl-2 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Hi!

john schrieb:

> I'd be interested to hear some recommendations for IDS to run on
> internet facing servers. Especially from the point of view of ease of
> installation, ease of maintenance, quality of the tool, and ability to
> have it deliver really useful information to the admin. I've used
> SNORT a bit in the past and my feeling was that it was so chatty that
> it was actually hard to tell if something bad was happening or not.

Don't think it really counts as IDS, but I like to use tiger and rkhunter.
  They perform some checks on the system on a regular basis. That is not a
really good protection against unauthorized access (well; it might catch
stupid cracker ;) but at least it helps to protect the systems from myself,
e.g. when I tweak some configuration option during a maintenance task in an
insecure manner (e.g. allow root login via ssh until I'm finished setting
up the system) tiger will remind me to reset the save values :)


Best regards,
  Alexander


--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Free embeddable forum powered by Nabble Forum Help