Slashdot Mirror
Rate the Intrusion Detection Systems?
Swannie asks: "The company I'm working for is looking into Intrusion Detection Systems. I was curious on how good/bad/ugly/cute/cuddly LIDS (Linux Intrusion Detection System) is when compared to other, commercial, systems like Cisco's NetRanger, etc. I'd be interested in information from my fellow geeks that have deployed LIDS in real world situations, as well as anyone that has switched to LIDS from a commercial solution, or vice-versa. Hopefully if I have some ammunition to go to the powers that be, I'll be able to utilize an open-source (and less expensive) Linux solution instead of a more expensive commercial one." Are there any other options out there which can be added to this comparison? In an odd bit of synchronicity, this article popped up before press time, which offers up another possible answer, in the form of Snort.
of course with random numbers you can never tell.
It's been a year since I've researched the subject, but some of this info still may be relevant. If not, I'm sure I'll be moderated down and/or corrected :)
LIDS and Snort do very different things. LIDS is more for host-based security. It is primarily used for locking down the kernel. For example, adding additional layers of security to prevent unauthorized kernel module loading, file access, etc. It foils common rootkits and can be used to make a hardened machine. The downside is that it works at a very low level. You have to patch your kernel to get it to work, and the LIDS package lag behind the linus tree. The configuration interface at the time I looked at it was in flux and poorly documented. It might be better now, but it looked like it took a lot of effort to customize a configuration to meet your particular needs.
Snort is a whole different story. It is used to report suspicious network activity, such as portscans, web server attacks, ftp overflow attacks, etc. The snort scanning engine is quite sophisticated and easily customizable by rules files. It appears to be every bit as effective as commercial equivalents if not better. The downside is that the reporting is very do-it-yourself. If you want to get something more than spammy SYSLOG alerts, you have to roll your own reporting/alert/reaction tool. To be fair there are lots of hooks and database-backend support for this, but it doesn't come with the base package. Perhaps someone will reply with a link to a third-party add on that fills this gap.
I saw 'em last fall at Taste Of Hanover Park, and they rocked like it was 1984. I expected them to come off as dinosaurs, but they held up well. Definitely worth the trip to the western suburbs.
There was a series of articles on Security Focus (which seems to be down ATM) recently on LIDS. Although it isn't really a comparison with anything else, it might give you an idea of what it can and can't do.
...is great for detecting if somebody got through your defenses/detection. It's by no means the first or only line of defense, but it's definitely a must-have. :)
(Plus if you have over-eager assistant admins it'll catch them mucking about as well.
I always was interested in LIDS and all of its advantages so finally i found some time to install it. It provides a complete ACL to protect your system and let you sleep at night. Someone mentioned using tripwire, tripwire will not provide your with the proper defense that you will need. It will only notify you of files that have changed every time your run tripwire. LIDS prevents you from modifying it in the first place.
Yes, it does take quite a bit a reading and figging to get it setup and working (took me about 2-3 days to get a system working), but if you don't have hours to spend on security then i would definately do it.
Bravo to the LIDS boys.
First, there was a plan: how to bring together the different development groups at work? My boss said there was a sort of tension he thought could be eased by some social interaction. Not easy. Almost all of the different development groups despised each other, each thinking its "art" was more important and eloquent than the others'.
There was the kernel extension developer group, coding mostly in C and some PowerPC and x86 assembler. They worked on making our PCI board work with Linux, *BSD, Mac OS X, QNX, and Solaris. They worked "special hours," coming in at one and staying late, supposedly, until seven or eight at night. They enjoyed Jizz cola and had a penchant for ThinkGeek t-shirts and cracking jokes about Win32 API calls and the dreaded Blue Screen of Death.
We had XML developers too. They worked on our website, documentation formatting, and simple apps to configure the driver software. They used HTML, XSL, JavaScript, and a bit of Java. They typically dressed casually, drank coffee and tea, and liked to work straight from the spec: no "Learn XSL in 30 Days" books were to be found in their cubicle farm.
Then we had the guys who wrote full-out UNIX apps. These guys and the products they wrote had been acquired from another company, and were the source of most of the tension: they'd never really been integrated into our group except that they were physically present with the rest of us. They all had beards or mullets or long, unwashed hair. Many wore suspenders or the afore-mentioned ThinkGeek clothes; some even had Penguin tatooes or small C app code tattooed on them. Their cubicle farm was known for the bleating laughter that exploded when one of them found a "silly" bug on someone else's code, and for the rotten, fetid stench that could only be compared to three-day-old shit reeking from inside a rotting corpse's abdominal cavity.
So, in order to get the guys to "know each other" my boss had asked me to organize a during-hours, alcohol-friendly party. My ideas ranged from a keg or two to live entertainment, AKA strippers. But as to what to get them to actually talk to each other in a human manner I had no clue. So I let it go til the last minute and decided to let my inherent creativity mull it over in the back of my head.
When the day of the party had arrived, the catering company brought in a few trays of lunch meat, chicken, pizza, and side dishes, I had picked up the kegs (all four) from the local brewery, and the big-screen TV and DVD were set up ready to blast the Matrix into the eyes and ears of my co-workers. The eagerness in the the air was encouraging and I thought that loosening up and smiles going on even now were a good sign. I even saw some of the guys who'd known each other previously begin to bunch up, bringing along the co-workers they knew from everyday work.
The first thing everyone did was hit the food line, loading up their plates and grabbing a cup for beer to wash it down with. A few approached me and thanked me for the food; it seems appeasing the belly really did tame the beast. After a few minutes of silence and eating and a few second and third courses, they guys were ready to sit down and be entertained. After asking if anyone needed anything else before the movie started, the lights went out and the Matrix began playing. I heard a few enthusiastic comments and jokes being told.
About half-way through the movie I noticed a lot of the guys, especially from the UNIX app group, were getting up and presumably going to the restroom. No suprise, as the second keg was history by now and the third was probably half-way gone. I also noticed some of the guys bumping into things and stumbling. Alcohol's the social lubricant, eh? Well, not long after, my bladder beckoned and I answered. As I made my way to the restroom, I had a self-satisfied smile on my face: my little plan was working, my boss would be happy, and it might even a Christmas bonus or a promotion (even if in title only).
Well, as soon as I pushed the restroom door open, I knew something was wrong. The smell of vomit was pretty strong and I hoped that it'd only been the work of one guy. But the smell was so pungent! After standing at the urinal, waiting for the golden flow to commence, I stood in silence. It was then that I heard grunting. Listening intently for a few seconds, I hoped whoever was upchucking their beer and munchies wasn't leaving a huge mess for the cleanup crew. After pissing and still hearing the noise, I approached the stall the that moaning was coming from.
"Hey, you alright in there, man?" I asked cautiously.
I was met by silence for a moment. Then I heard a few grunts and concealed giggles. Something was up in there. It was then that I heard what sounded like crying and more moaning. What the fuck? I decided I needed to see what was going on. I didn't want this party to come crashing down around my ears. I pushed the door open hard and then gasped as I saw the most sordid, disgusting thing I'd ever seen in my life.
Standing on either side of the toilet were two if the UNIX app coders, their beards caked with vomit, their pants in puddles around ankles, with erect penises wagging in the air. Doubled over the toilet, his head nearly dunked in the swill, was one of the XML developers. His pants were also around his ankles and what appeared to be a combination of blood and semen were dripping from his torn, ragged anus. He was covered in vomit from head to toe, and he was crying hard into the toilet bowl, its echo an eerie accompaniment to the awful scene I was seeing but not believing.
They two Linux coders slowly turned and looked me straight in the eye, evil grins smeared across both of their bearded faces.
"What in Fuck's name are you doing!?" was all I could force out of my mouth. I still wasn't believing I was seeing this.
Saying nothing, both of the Linux coders rushed me. Being in such a tense state, I threw both of them off and made a break for the door. And the fucking thing wouldn't open. In the follow two seconds that seemed like an eternity, the door was pushed open my way and two more Linux coders came in. Upon seeing what was happening, they immediately grabbed me and were joined by the first two. I was trapped. Then the one guy, who was a dead-ringer for Rasputin, the mad Russian monk, gazed into my eyes and said in a feminine voice, "Looks like Mr. Party is gonna get a taste of the real action!" and cackled insanely.
Cold sweat spurted from the pores on my foreheads and cheeks as I was dragged by the four stinking, polluted hippies into the same stall their previous victim was in. Rasputin spoke again, excitement in his voice.
"Thanks for the pizza and beer, now it's time for the weeners and buns!"
Immediately the first two slogged their pants off and got down on their knees. The other two put there knees in my back and held me on top of the first victim, who now appeared to be unconscious. I heard their belts coming off and their zippers coming down, and some rustling around told me that their pants were coming down also. Then the first two started sucking off the other two, in what I could only call the most enthusiastic blowjobs I'd ever seen in my life. The moaning and slurping sounds turned my stomach and I retched. I could see why the first guy might have vomited.
Eventually Rasputin and his cohort started moaning more loudly, and one of them said "fifteen seconds." This was followed by a series of rapid-fire belching and burping that shook me up and down on the guy underneath me. After about fifteen seconds, all Hell broke loose. The two guys behind me started vomiting on the two guys fellating them and I saw cumshot shoot and mix with the vomit all over the two cocksuckers' faces. It was then that I almost lost. I finally did refund when the first two vile fluids were followed by streams of piss. I heard swallowing and dripping and I yacked all over their first victim's head.
Rasputin cried out like a little girl in ecstasy. "Oh god, I'd been waiting for that all night! This party fuckin' roxorz my coxor!"
Now it was my turn, it seemed, as all four started tearing my pants down. Chunks of vomit-piss-semen fell on my back and soaked through my t-shirt. It was reviling. I shuddered as I felt their cold, clammy hands in my ass-crack and a very indelicate reacharound on my ball-sack. At this point I had no idea who was doing what, and I was just praying that I'd wake up and realize I was drunk and dreaming a la nightmare.
Just then I heard the door boom open and my boss's voice fill the air. The stall door was open and he saw right away the turgid scene transpiring in front of him. His voice was immediately followed by two others, XML developers I knew, and they flew into the stall as best they could and began a fight to save my asshole. The poor guy underneath me had just woken up and started struggling and the extra weight of eight other bodies in the stall must have been suffocating.
"It'll be all right, buddy," I offered to him.
Within thirty seconds I was to my feet and was delivering the most heart-felt kicks to the guts of the rapist faggot Linux coders. Between me, my boss, and the two XML developers, we had the gang of four knocked out in a sloppy, excrement-filled pile of hairy body.
It's now been a month since this horrible incident and I am in regular therapy with a sexual abuse counselor. In response to the terrible outcome of this party, my boss toyed with the idea of selling the group off to another company, sans the four hippies who'd been fired and arrested. After considerable urging on my part, and very open ear from my boss, the whole group was dissolved and the Linux coders lost their jobs. Their product was delayed by a year as my boss began hiring a new development team. We'd found evidence that the whole group had been involved in the planning of the gang-bangs and that had it not been for us everyone would have had a "turn" in the stalls.
If there's one thing we learned from this tragedy is that Linux coders, users, and advocates are desperate cock-lusting homosexual faggots that can't be trusted in any situation, let alone a restroom setting. You've been warned.
On the positive side, though, the whole incident brought solidarity between the other groups in the company and I am now on schedule to get a huge Christmas package that not only includes a gigantic bonus but a month's worth of paid time off and a real promotion.
If you've only got the time, energy, inclination, or budget to do the job halfway, you'll get more productive results monitoring your firewall, router, and application logs.
If you really feel you want network security monitoring, but can't commit to it, I recommend a competent managed security services provider. Unfortunately, I'm not comfortable with any of the offerings besides that of my employer. Sure, it sounds like a shameless plug, but if other MSSPs care to explain how they do business, I'll have good words for them. Until then, I know my shop does good network security monitoring work. Of the few competitors whose operations I understand, none inspire confidence.
If you think I only rip on other MSSPs, I can heartily recommend Digital Defense for doing top-notch vulnerability assessments (but that's not IDS, unfortunately).
Helevius
Hello!
We use Secureworks's MSSP (it's an IDS/Firewall hybrid such that it can automatically block attacks, it's updated by the provider, and fits virtually anywhere in your network.) (it runs off a customized Cobalt Raq3/4 unit.)
www.secureworks.net
Try it out!
It might be worth it for you.
I've really found this one effective, though it is fairly resource intensive: It can really obsolete some of your hardware.
SKU #6663 is probably the most effective, although I'm sure that there are people who would swear by the others.
iss.net