[PLUG] intrustion detection software

Tim Bruce - PLUG timb at tbruce.com
Fri Mar 20 18:01:20 UTC 2009 

On Thu, March 19, 2009 16:12, chris (fool) mccraw wrote:
> hey folks,
>
> one of the last steps remaining for us to become PCI compliant at my
> place of employ is to "employ an intrustion detection or prevention
> system to monitor all traffic in the data environment".  we have a lot
> of software that serves similar function (file-modification monitor,
> carefully watched syslog including firewall logs, arpwatch, standard
> system reporting on events like service startups and
> half-opened-and-never-used-again network connections from
> postfix/proftpd), but no specific "intrustion detection system".  upon
> looking into it further (ok, i read the wikipedia article and a few
> SANS articles), i find there is a plethora of signature-based systems
> which seem to not be what i want--we have very limited services
> running (ssh/sql connections only) and i'm more interested in a
> statistical anomaly type of report.  "well, you got a thousand SQL
> connections in a second from this host that usually trickles 'em in at
> 1/hour" or "hmm, ssh leaving *from* one of the firewalled machines"
> type of reports.  i don't expect to see a lot of the stuff that people
> use, say, snort for, since there's no incoming traffic at all from the
> internet, just ssh connections from the dmz hosts and SQL connections
> from the same.  so i don't need to sniff the entire network's traffic
> (nor do i want to)--i want something host based that i can run on each
> host behind the firewall to report on things happening to that host.
>
> but i haven't found anything that's free, relatively simple, and
> statistical-anomaly-type.  i don't actually want intrusion
> *prevention* software that would modify firewall setup or otherwise
> deny traffic, i just want to get paged when i see a portscan happening
> *behind* the firewall.  ideally, such a system watches the network for
> awhile and "learns" what's common--"oh, on monday, dude's gonna ssh in
> for 10 minutes each machine.  carry on.  but he never seems to ssh in
> at 3am.  and WHOA a netbios packet on this network?  red alert!"
>
> does anyone use any software that does that?  would love to buy you
> lunch and pick your brains about it!  and hey, if you're so inclined
> and your google-fu is better than mine, let me know what i'm missing!
> the best candidate i found that-a-way was "SPADE" which is a
> deprecated snort plugin.
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>

Well, since no one else has responded, I'll throw my 2bits in on this topic.

Some tools that I can think of that would help you get closer include:

1.  Use both Syslog and Tripwire to a secondary server for data roll-up.

2.  Use Logwatch to forward emails.  I think that will also filter data
out that you could roll-up onto a second server or into Syslog, but I
haven't tried that.

3.  There was an article on TechRepublic about OSSEC
(http://blogs.techrepublic.com/opensource/?p=342).  That tool is available
from http://www.ossec.net.

4.  This is a guess, since I don't really use it, but maybe you could use
TCPDump to filter on suspicous traffic and forward the data to another
server (or at least log it locally).  That might require some scripting to
really get it to do what you want.

For non-free/open source tools, IBM has available ISS (Internet Security
System) available for purchase.  More info is available at: 
http://www.iss.net/

Don't know if that helps, but I hope it's a start.  You'll probably have
to do some custom scripting / log parsing for any of these to get closer
to what you want.  And there's no real AI portion in any of this or
provides the statistical analysis roll-up or rule building that I can see.

Tim
-- 
Timothy J. Bruce

visit my Website at: http://www.tbruce.com
Registered Linux User #325725

More information about the PLUG mailing list