Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux Intrustion Detection?

Posted by Cliff on from the watching-those-crack-attempts dept.

Woodie asks: "Hi,I'm wondering, after reading Dvorak's article on crackers , whether good intrustion detection software exists for Linux. He specifically mentions a product called "BlackICE" - which I checked out the details of - that sounds very interesting. What Linux alternatives are there? I'm not necessarily expecting an easy to use GUI; some kind background daemon that generates a usable log and that can be preconfigured to respond to certain "attacks" would be great. " How reliable are the results from various Intrusion Detection packages? Are these things worthwhile? Or would do-it-yourself monitors be a better choice?

Update: 11/03 11:58 by C : Jargon was also interested in Linux Intrusion Detection and was curious if there were Linux contenders to the likes of Cybercop Sting, and Mantrap"

11 comments

  1. Check out LIDS by Anonymous Coward · · Score: 0

    The Linux intrusion detection system. search for it on freshmeat. It does some kernel patching to make append only filesystems... AKA they can't deleate your logs.

    1. Re:Check out LIDS by kijiki · · Score: 1

      ext2fs supports append only files using chattr, this patch most likely adds securelevels back to 2.2 (it was in 2.0, but disappeared in 2.1 for some reason). The securelevel, once raised, cannot be lowered, and with a raised securelevel, not even root can do potentially dangerous things. Things like removing the +i (immutable) or +a (append only) attribute from files. To be secure, it must also disallow access to the raw drive partition, and /dev/mem. You might also want to look into kernel patches that make the stack non-executable, and place NULLs in library addresses. These can't stop buffer-overflow attacks, but it certainly makes them more difficult. Every extra layer of security helps.

      These measures are important for multi-user boxes, but are rather restrictive for your personal workstation.

      To be extra paranoid, you want to run something like tripwire, with the database, the (staticly linked) tripwire binary, and your kernel (without loadable module support) on a write protected floppy. If you're looking at measures that extreme however, I would highly recommend evaluating OpenBSD, as it has been audited, and tends to take a much more proactive stance on security.

      The same amount of work put into an OpenBSD box and a Linux box will leave the OpenBSD box much more secure. The out of box security of an OpenBSD install tends to be greater than that of the average linux distribution.

      No matter what you do, there is no excuse for not keeping up with known bugs in the software you're running, and applying patches in a timely manner. Good luck!

  2. Re:Network Flight Recorder by Anonymous Coward · · Score: 0

    Mr Ranum did post earlier on NFR Users mailinglist that Linux would not be supported at the moment, but perhaps later, seems that there were some problem with the IP drivers or something.

  3. Help me write one :) by Matthew+Kirkwood · · Score: 1
    I have the beginnings of a small toy IDS, which can detect some of the uglier and more problematic packets that you might have the misfortune to see floating around your network (things like land, the common Winnuke exploits).

    Once I have IP fragment/TCP reassembly done (this may be done off-line) it may actually be quite useful.

    Drop me an email if you want to play with it.

    Alternatively, the Netfilter stuff in recent 2.3 kernels provides a very interesting way to do a lot of the filtering in kernelspace, saving an awful lot of copying and latency.

    Matthew.

  4. Snort by sighup · · Score: 1

    Snort can be used to do network intrusion detection. Combine Snort with this ruleset and you have intrusion detection -way- beyond most anything out there.

    Of course, if you're just looking for whether or not someone is probing your host, the aforementioned PortSentry will do quite nicely.

  5. Network Flight Recorder by cowbutt · · Score: 1
    Marcus Ranum's company, NFR, has a product, which I believe can be convinced to work OK on Linux.

    Marcus, BSD-phile that he is though, believes that the Linux kernel's packet capture facilities are not and will not be fast enough (at least compared with BSD), so this is not an Officially Blessed Solution (TM).

    Good Luck!

  6. Tripwire by weefle · · Score: 1

    A freshmeat search will let you know where to find TripWire. It's a utility that keeps track of various aspects of files (size, permissions, checksums) and alerts you when files have changed. It's a bit of a pain to set up initially, as you want some files to remain exactly the same (/bin/ls), some files to change content but not permissions (/etc/passwd), and some files you just don't care about (/tmp/*). Figuring out how much stuff you want to keep track of takes a lot of time, but when you're done, you can build a database of exactly how all your important files are supposed to look. Once you've done that, you can set TripWire to run periodically, mailing you any deltas.

    Here at Miami U., we run TripWire on just about all of our production platforms. If we do get hacked, we should know about it within minutes.

    One more note; TripWire recently went commercial. I've noticed their licensing has become much less free over the last year or two, to the point that you can only get the 2.0 version as a "Red Hat Linux binary" without forking over about $500(US). They've still got their Academic Source Release available for free download from their website.

    clayton

    1. Re:Tripwire by Zurk · · Score: 1

      I wrote a better tripwire than tripwire type utility which is GPLed. You can d/l it from freshmeat..its called sentinel. also fcheck and viper are pretty good file checkers. Also see http://pages.infinit.net/lotus1/doc/opti/Linuxsos. pdf

    2. Re:Tripwire by fre · · Score: 1

      What's wrong using MD5SUM and a nice cron job? Probably something not good about since all those other products exist (tripwire, sentinel, ...).

  7. Alarmed Honeypot by SEWilco · · Score: 1

    Remember that you can wire your unused services to a network honeypot, a collection of things which are attractive to an intruder. This could be as simple as running The Deception ToolKit on all servers, configured to give DTK the services which that server is not using. Or your network may be configured to redirect all requests for improper server/service combinations to honeypot machines. You can alarm the honeypots to alert you to what is happening. At the same time you're wasting the time of the attackers.

  8. Portsentry is allways good. by Dast · · Score: 2

    http://www.psionic.com/abacus/portsentry/

    It's a good scan detector.

    From that link you can find hostsentry (a "login anomaly detection and response tool").

    --

    This sig is false.