Re: Host Based IDS Recommendations

From: Maarten Van Horenbeeck (maarten_at_daemon.be)
Date: 12/20/03

  • Next message: Teicher, Mark (Mark): "Host based IDS Reports" 
    Date: Sat, 20 Dec 2003 18:16:31 +0000 (GMT)
To: focus-ids@securityfocus.com

    Hi,

    In the field of HIDS, I have had some very good experiences with
    Symantec's Host IDS. In real-life use, it has shown to be a very
    trustworthy system, and has grown to be very reliable. Another exquisite
    system, though more limited in scope, is Tripwire.

    While a different approach, many host-based Intrusion Prevention Systems
    also generate an important deal of logging which is extremely useful from
    an HID point of view. On many systems, I tend to run software such as the
    grsecurity patches (on Linux kernels), which can be configured in such a
    way to log a syslog event on somewhat suspicious traffic.

    An example:
    Dec 3 05:05:11 shiva kernel: grsec: attempted resource overstep by
    requesting 1024 for RLIMIT_NOFILE against limit 1024 by (initlog:27874)
    UID(0) EUID(0), parent (S55sshd:15305) UID(0) EUID(0)

    You will have to write some custom log parsers yourself, and develop a
    secure log transportation mechanism, as syslog may become unreliable
    immediately after compromise, before these log entries are actually of
    use. However, this is more than worth it, especially if you consider the
    fact that this software is often not all that pricy (this specific example
    is even free).

    Best regards,
    Maarten 

    --
Maarten Van Horenbeeck
maarten@daemon.be
---------------------------------------------------------------------------
---------------------------------------------------------------------------
  • Next message: Teicher, Mark (Mark): "Host based IDS Reports"
    • Quantcast