[PLUG] Question on intrusion detection software

Thomas Groman tgrom.automail at nuegia.net
Wed Jan 5 00:29:36 UTC 2022 

On Tue, 4 Jan 2022 14:58:04 -0800
website reader <website.reader3 at gmail.com> wrote:

> To all:
> 
> Now that an executive for a respected System Security auditing system
> for linux replied to me that the best bet was to look for intrusion
> detection software, I am soliciting comments upon a "free" or
> reasonably priced (< $100) package.
> 
> I just came across this now from Comparitech :
> 
> Here’s our list of the Best Intrusion Detection System Software and
> Tools:
> 
> 1. SolarWinds Security Event Manager EDITOR’S CHOICE Analyzes logs
> from Windows, Unix, Linux, and Mac OS systems. It manages data
> collected by Snort, including real-time data. SEM is also an
> intrusion prevention system, shipping with over 700 rules to shut
> down malicious activity. An essential tool for improving security,
> responding to events and achieving compliance.
> ( I checked $2613 to start)
> 
> 2. CrowdStrike Falcon (FREE TRIAL) A cloud-based endpoint protection
> platform that includes threat hunting.
> 
> 3. ManageEngine EventLog Analyzer (FREE TRIAL) A log file analyzer
> that searches for evidence of intrusion.
> 
> 4. Snort Provided by Cisco Systems and free to use, leading
> network-based intrusion detection system software.
> 
> 5. OSSEC Excellent host-based intrusion detection system that is free
> to use.
> 
> 6. Suricata Network-based intrusion detection system software that
> operates at the application layer for greater visibility.
> 
> 7. Zeek Network monitor and network-based intrusion prevention system.
> 
> 8. Sagan Log analysis tool that can integrate reports generated on
> snort data, so it is a HIDS with a bit of NIDS.
> 
> 9. Security Onion Network monitoring and security tool made up of
> elements pulled in from other free tools.
> 
> 10. AIDE The Advanced Intrusion Detection Environment is a HIDS for
> Unix, Linux, and Mac OS
> OpenWIPS-NG Wireless NIDS and intrusion prevention system from the
> makers of Aircrack-NG.
> 
> 11. Samhain Straightforward host-based intrusion detection system for
> Unix, Linux, and Mac OS.
> 
> 12. Fail2Ban Lightweight host-based intrusion detection software
> system for Unix, Linux, and Mac OS.
> 
> Any comments on the above? Is OSSEC a good choice? I have 2 linux
> systems which need intrusion detection (and probably network
> intrusion detection)
> 
> Randall

fail2ban is pretty good, but i've never heard of it being called
intrusion detection system before. It's not really required if you
disable passwords and just use key based authentication.

What I would do is just do the usual hardening and also run auditd and
configure your logging daemon to also log to a remote logging server
and run some automated log scanning and graphing tools on that.

Don't install antivirus on a Linux server. That's really only done to
prevent passing off windows viruses to windows users on mail servers
with clamav.

I used to run snort and securita on my network. I switched from snort
to securita because snort was pretty heavy and securita seemed more
efficient, but i eventually removed it figuring I didn't really need it
and my time would probably be better spent hardening hosts. Those kind
of systems also have a lot of false positives so you'll need to keep
that in mind.

What comes to mind when I hear IDS system for *nix is something that
hashes all the system files on boot and compares them to a list. That
used to be prohibitively slow back in like the mid 2000s but now cpus
are fast enough and there are algorithms out there like b2sum and b3
that make it more feasable. Though that's going to have false positives
every time your OS updates. With that in mind though, if your using
debian it has a builtin tool to do this called debsums which uses apt's
own database cache. It's technically defeatable if an attacker knows to
edit apt's md5hash cache as well but a valuable tool for other reason
as well.

One last thing is rkhunter. This isn't something you'd want to run all
the time as it requires you to boot from a known-good bootdisc and
mount a chroot for proper detection of rootkits. It's something if you
suspect something is up would be useful to run.

One last thing that I think is REALLY useful is if you'd ever
administered an OpenBSD system you'd see there's an automated script
that runs in cron and mails root periodically with changes to system
configuration it's detected. This is really useful but is still going
to require a system administrator to read it and go 'yeah that's
something i did on x date or that's consistent which a autopatching
script i setup'. Porting something like that to Linux would be great.

If you really want to harden a Linux system look into netfilter and
'egress filtering' also also look into netfilter's ability to filter
per-uid and per-gid. Most daemons run as their own user so you can only
allow packets to flow from specific daemons on specific ports at
specific times of the day at specific rates. This is something I do on
large shared hosting systems and it saves you the headache when the
people with wordpress sites i'm hosting eventually get hacked (happens
on a regular basis) and malware gets installed into the use's account.
The egress filtering effectively neuters the malware so it can't do
anything including make me have to deal with an abuse complaint from my
isp so it can be detected and fixed before it becomes a problem. Egress
filtering is really useful and more people should look into it.

There are a lot of things you CAN do it prevent intrusions on *nix
systems but it usually comes down to two things.

is your goal to A.) make the system objectively more secure or
B.) satisfy some legal requirement. In the case of A that's really a
situationally specific question you have to think about yourself and in
the case of B there's not really any leeway other to to install
something the government says you have to and check a checkbox on a
compliance list.

-- 
 _______________________________________ 
/  Against his wishes, a math teacher's \
| classroom was remodeled. Ever since,  |
| he's been talking about the good old  |
| dais. His students planted a small    |
| orchard in his honor; the trees all   |
\ have square roots.                    /
 --------------------------------------- 
\
 \
   /\   /\   
  //\\_//\\     ____
  \_     _/    /   /
   / * * \    /^^^]
   \_\O/_/    [   ]
    /   \_    [   /
    \     \_  /  /
     [ [ /  \/ _/
    _[ [ \  /_/

More information about the PLUG mailing list