OSSEC and other HIDS tools

Discussion in 'all things UNIX' started by Gullible Jones, Aug 22, 2012.

Thread Status:
Not open for further replies.
  1. In theory, any compromised system cannot be trusted. In practice, though, I suspect it's better to have something that at least has an off chance of notifying you that that you computer is no longer trustworthy.

    Linux is pretty strong on the mitigation and containment end of things, but a lot of distros are notably lacking in means of notifying you that your security is kaput. (In fact, only the Mandriva and Fedora families do that by default AFAIK.)

    So I'm looking into OSSEC and other HIDS as a last layer of "defense." Do any of you have experience with such software? Are any of them suitable for a desktop or personal workstation? Or are they generally too oriented business use?

    P.S. Anyone know what the status of OSSEC's Windows compatibility is at the moment? I'm having trouble finding what parts of it currently don't work on Windows.
     
  2. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    hi
    OSSEC HIDS has already been discussed on this board...then the first answer begins by a simple Wilders search...
    IDS/HIDS in general are not suited for a single workstation/desktop environment (more interesting in LAN).
    More over, they act in most cases as client/server solutions (this might help for your OSSEC Windows problem).
    And most of all, they require a minumum of experience: if you can not understand and interpret the alerts, then it appears useless to use any robust IDS.
    OSSEC is one of the most interesting H/IDS (many open source IDS are discontinued, are aquired by private campanies like Snort and Prelude): complete, maintained and updated, very documented.
    I like especially its antirootkit module (Rootchec), which appears to me more reliable that the Rootkit Hunter/Chkrootkit finguerprint checking.
    As and example with a recent Linux rootkit (Beastkit)
    http://www.ossec.net/doc/rootcheck/analysis-beastkit.html

    Well there is also Samhain, the Open source version of TripWire, Snaire or Bro IDS for instance, but as said previously, they are useless without a minimum of machines and experience (know your ennemy/the attack/the rootkit and you will be able to defend your system with these HIDS).

    Just take a good distro (many of them are hardened by default), learn the abc of NMAP, play with firewalls (IPCop/Copfiler are good to learn)...and it would be a great efforts: Security software are just a variable of Security, but they are not SECURITY...
    If not there is a few tools for the paranoids, that can help against some network attacks like Etherewall for instance
    http://sourceforge.net/projects/etherwall/

    And i stop my blah blah now because i have found my own IDS
    https://www.wilderssecurity.com/attachment.php?attachmentid=225305&stc=1&d=1298338621

    rgds
     
  3. Thanks. And cute cat. :D
     
  4. BrandiCandi

    BrandiCandi Guest

    I'd add what I've learned recently- that to be most effective you want the IDS solution to run on a separate box than the one you're monitoring. That would be because of your first sentence:
    Therefore you monitor outside of it.

    I hope to play with some IDS options in linux soon, I'll be interested to hear if you come up with anything.
     
  5. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Don't forget AIDE, which is basically a free clone of Tripwire.

    Don't forget Mandatory Access Controls. The Linux kernel has several to choose from and they can be very powerful tools.
     
  6. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi

    There is a quite old comparison of Linux IDS
    http://www.la-samhna.de/library/scanners.html
    I confess that some product are a little bit obsolete...
    If we consider the usual terminology, then only program like SNORT can be considered as an IDS as they are able to detect network based attacks.
    Integrity checkers like Tripwire and Aide can be compared to Windows white list HIPS because they rely on anomaly detection of system file change.

    Regarding MAC, and as i suggested it, there is already hardened distro which integrates SeLinux or AppArmor; and in a terminlogy point of view OSSEC IDS is different from Kernel hardening patch (and i guess this is an extension or even an other toppic).

    There is currently a kind of IDS which is popular in Linux System Administration and this is Fail2Ban
    http://www.fail2ban.org/wiki/index.php/Main_Page
    It protects only against a few threats (server rooting), but it accomplishes the defense job in an effective way.

    rgds
     
Loading...
Thread Status:
Not open for further replies.