Re: Which intrusion detection to use?

From: Krzysztof Zaraska (kzaraska@student.uci.agh.edu.pl)
Date: 01/13/02


Date: Sun, 13 Jan 2002 21:08:09 +0100
From: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl>
To: freebsd-security@freebsd.org

On Sun, 13 Jan 2002 19:00:30 +0000 Simon Siemonsma wrote:

> I have a FreeBSD box at home which I primairily use for internet access.
> All unneccesary deamon's are switched of (I have inetd turned off) and I
make
> use of IPFW.
> To even increase the security more I want to add a few things:
> 1. software that warns me when I'm under attack. I understood snort is a
> Network based Intrusion Detection System (NIDS), so not usefull on a
host.
Wrong. This term simply means that it will sniff your network (i.e.
connection to your ISP) and alert you when it sees a packet that matches
known attack signature. So yes, you can run it on single host. Be warned,
however, that Snort can generate false positives: e.g. it can report that
you are being exploited with unknown exploit while FTP'ing a new release
of FreeBSD, because some archives have strings of 0x70's in them what
triggers alert.

> What are the alternatives on a host?
To clean up terminology: a host-based IDS is AIDE, since it monitors
changes on host. Snort is network-based since it monitors network. A
hybrid IDS monitors both.

> I did read about portsentry but don't
> understand what the added benefit it over a tightly configured firewall.

I don't know how tight your particular setup is, but if you deny access to
all unused ports to the world there will be no use in PortSentry since the
offending packets will never his the port PortSentry is listening on.
Snort does not care about firewalls, so just tell it to listen on outside
interface and you're set.

> I
> mean I use statefull packet filtering, allowing connections to be build
up
> from me to the internet and not the other way round.
You mean you have no services available from outside? Well, duh, not much
can be hacked here anyhow, unless there is some exploit for the kernel we
don't know of I guess...

> Further my ports are
> stealthed.
This doubles the functionality of the firewall, but may be useful if you
switch your firewall off for debugging etc. A nice example of 'layer
security'. :)

> 2. software which will detect that I'm hacked. Tripware is a well know
name,
> but AIDE clames to do more.
Personally I use AIDE and I find it to be quite OK. After setting up AIDE
I made an MD5 checksum of the database. I keep this checksum offsite and
compare it against the current checksum to be sure that no one tampered
with database :)

> Integrit claimes to be simpler and focus on the
> essentials.
Haven't tested. However all these tools operate on the same principles...

> Does anyone have some recommendations for me.
If this is a NAT gateway that has all ports firewalled from the outside
I'd be satisified with the steps described above. Just re-check your
firewall rules, since it's your most important line of defense.

You may however (it's your system, anyhow ;-)) consider raising your
securelevel and making some files immutable (binaries, configuration) and
some other append-only (logs). man securelevel for details.

> Other recommendations to increase my security are also welcome?
Well, there are some papers on the subject available on the net, so just
do a Google search :) but they mostly focus on multi-user systems and
servers. Actually simple setup == less possible points of entry.

I'm afraid that if you exagerrate you may end up with a system generating
tons of logs although nothing serious is happening.

Best regards,
Krzysztof

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message