|
Softpanorama |
May the source be with you, but remember the KISS principle ;-)
|
| News | Recommended Books | Recommended Links | Recommended Articles | FAQs | Log analyzers | Honeypots |
| Cisco Security Agent | Integrity Checkers | Port Scan Detectors | Rootkits Fighters | Setuid Checkers | Etc |
Nabou is a system integrity monitor. That means, it runs every night and watches for changes on files. If a file has changed in any way, it will inform you by email(if you prefer that). Beside of this it can also look for changed or added user accounts, cronjobs, weird processes and suid files. And you can define your own checks using inline scriptlets.
It stores the properties for each file in a dbm database and will warn you if something has been changed on a file. The most important thing to check for, is the MD5-checksum. This checksum will never be the same if the file content has changed even if only one letter has changed. But you can also look for some other properties, like ownership or filemode. See the section configuration for more details on that!
nabou requires perl and some Perl Modules.
If you are interested, here is a sample report generated by a nabou check run.
Securing Debian Manual - After Installation
Are you sure
/bin/loginon your hard drive is still the binary you installed there some months ago? What if it is a hacked version, which stores the entered password in a hidden file or mails it in cleartext version all over the internet?The only method to have some kind of protection is to check your files every hour/day/month (I prefer daily) by comparing the actual and the old md5sum of this file. Two files cannot have the same md5sum (the MD5 digest is 128 bits, so the chance that two different files will have the same md5sum is roughly one in 3.4e3803), so you're on the safe site here, unless someone has also hacked the algorithm that creates md5sums on that machine. This is, well, extremely difficult and very unlikely. You really should consider this auditing of your binaries as very important, since it is an easy way to recognize changes at your binaries. Common tools used for this are
sXid,AIDE(Advanced Intrusion Detection Environment),TripWire(non-free; the new version will be GPL),integritandsamhain.Installing
debsumswill help to check the filesystem integrity, by comparing the md5sums of every file against the md5sums used in the Debian package archive. But beware, those files can easily be changed.Furthermore you can replace
locatewithslocate. slocate is a security enhanced version of GNU locate. When using slocate, the user only sees the files he really has access to and you can exclude any files or directories on the system.
Debian provides a cron job that runs daily in
/etc/cron.daily/standard. This cron job will run the/usr/sbin/checksecurityscript that will store information of this changes.In order for this check to be made you must set CHECKSECURITY_DISABLE="FALSE" in
/etc/checksecurity.conf. Note, this is the default, so unless you have changed something, this option will already be set to "FALSE".The default behavior does not send this information to the superuser but, instead keeps daily copies of the changes in
/var/log/setuid.changes. You should set the CHECKSECURITY_EMAIL (in/etc/checksecurity.conf) to 'root' to have this information mailed to him. . Seechecksecurity(8)for more configuration info.
Honeypots, Intrusion Detection, Incident Response
Motorola
Introduces New Weapon to Thwart Cyber Intruders Motorola's Intrusion
Vision synthesizes network data, enabling rapid recognition and response to
network attacks
| Washington, D.C. - June 5, 2001 - Network administrators
now have a new first line of defense in the protection of information
assets. Motorola, Inc. announced today a visualization and analysis software
tool that helps the user visually interpret network attacks at a glance and
respond quickly. Motorola Intrusion Vision provides a single, intuitive display of information received from many network and host-based intrusion detection sensors within a business or operation. Additionally, it can correlate attack information received from different sensors to let operators know of a serious attack. Because the data is displayed in near-real time, the user can react quickly based on responses defined by the operation's security policy. Rapid response can serve to eliminate or mitigate potential damage to the network. "I respect the pedigree of Motorola's capabilities with security technology. This Windows TM-based commercial off-the-shelf security product incorporates that know-how," said Steve Lewis, an information security expert for PRO-telligent, LLC assigned to the Department of State. "Motorola Intrusion Vision proves simple and easy to operate, allows for better report creation and storage and it supports both commercial and public domain intrusion detection systems. It is a system that can prevent and protect rather than report and react after the fact. Correlating attack information before it gets too deep into the operator's system should be a cornerstone of sound network management and is a benefit of Motorola's technology." John Cole, Vice President and General Manager of Motorola's Information Security Systems and Products Divisions says, "Visualization and correlation of network intrusion information is a high priority with network administrators who are overwhelmed with the volume of textual data received from sensors. This product is the first step for anyone interested in improving detection and reaction time. In addition to rapid response, Motorola Intrusion Vision can reduce the level of expertise and expense businesses devote to monitoring sensors for evidence of cybercrime." Motorola Intrusion Vision features a graphical ring display resembling a bull's eye that operators can easily interpret. They can then access the underlying sensor data from the same screen. Use of an open Application Programming Interface (API) facilitates interoperability with a wide range of sensors and intrusion detection devices. The software is written in Java script and is portable to many hosts. The unsolved problems of the intrusion detection world include predictive analysis. In other words, based on what happened in the recent past, we have an indication and warning of what attack is about to occur. The underlying technology of Motorola Intrusion Vision allows for simple, predictive analysis," says David O'Brien, a consultant for Epsilon Systems. Protection of industrial information assets is just one area where Motorola, with demonstrated expertise in government-risk avoidance technology assets, is bringing advanced capability to the commercial world of information technology. Motorola Intrusion Vision will be available this month and priced starting at US$11,490 for the basic version. About Motorola Motorola, Inc. (NYSE:MOT) is a global leader in providing integrated communications solutions and embedded electronic solutions. These include software-enhanced wireless telephone, two-way radio, messaging and satellite communications products and systems, as well as networking and Internet-access products, for consumers, network operators, and commercial, government and industrial customers. Sales in 2000 were $37.6 billion. |
Intrusion Detection Solutions Dragon Squire - Host Intrusion Detection
Why host based IDS?
Enterasys developed the Dragon Squire product line as a host based IDS for several reasons. First, simply put, NIDS have a real difficult time with encrypted traffic. Dragon Sensor has signatures which look for SSH activity, but no NIDS including Dragon Sensor can see inside that SSH session and look for login failures. Another large protocol which NIDS cannot decode are secure web transactions protected with SSL. Second, even though we think Dragon Sensor is one of the most advanced NIDS in existence, we believe that a determined hacker will bypass the NIDS and achieve compromise on a sensitive system host. This also accounts for a strong insider threat. Once an attacker has achieved system access, they may do something which will generate network activity and be detected by Dragon Sensor, but it is more likely that the attacker will do something directly to the targeted computer which will be detected by Dragon Squire. Any finally, our third reason to produce a HIDS was to be able to leverage it as a secure log aggregator to process router logs, firewall logs and many other sources of security information.System Log Analysis
Dragon Squire is placed directly on key servers. Once loaded, it can be directed to monitor (or tail) key system log files and monitor them for suspicious activity. In the case of Windows NT and 2000, Dragon Squire can monitor the NT event log for activity as well.Syslog Analysis
For routers and firewalls which do not have a local operating system to run Dragon Squire, libraries to analyze the Syslog messages from those devices can be placed on a dedicated log server which runs Dragon Squire. For example, a router farm could use Syslog to send events to a dedicated Linux server running the Dragon Squire software and the libraries for the logs from the routers. In this case, Dragon Squire does not receive or process the Syslog message directly, and instead relies on the underlying system to process the Syslog messages. This allows Dragon Squire to work with many forms of Syslog such as Secure Syslog and K-Syslog.SNMP Trap Analysis
Dragon Squire can receive and process SNMP v1 traps. Dragon Squire receives the SNMP trap and produces a field of SNMP OIDs and their values. Signatures are available to process the SNMP trap for specific OID and value combinations.MD5 File Analysis
Dragon Squire performs MD5 checksum analysis on key files. It stores these MD5 checksums in a local file and on the Dragon Policy Manager. If the contents of a monitored file changes, the MD5 value will changes and an alert can be generated. This detects backdoors and other potentially harmful files modifications.Low System Impact
Dragon Squire has been designed to minimize system impact. All system performance varies greatly from operating system to operating system as well as server load and network activity. Dragon Squire has a very small footprint that takes up little memory and hard drive space for logs.
Cisco IDS (Formerly NetRanger) � Intrusion Detection System
... Software Technical Specifications for IDS
Host Sensor (Standard Agents). ... Technical
Specifications for Host IDS Sensor (Web Server Edition). ...
www.cisco.com/univercd/cc/td/doc/pcat/nerg.htm - 11k -
Cached -
Similar pages
Installing and Configuring the Cisco IDS Host Sensor on ...
... Installing and Configuring the Cisco IDS Host Sensor on CallManager 3.0 and 3.1.
Contents. ... Caveats. Using Cisco Host IDS Sensor Agent and McAfee NetShield. ...
www.cisco.com/warp/public/788/ AVVID/ids_host_sensor_cm.html - 21k - Cached - Similar pages
[ More results from www.cisco.com ]
Neohapsis Archives - IDS List - IDS Re RE Host IDS - From Talisker@networkintrusion.co.uk
|
Table Of Contents
Questions Specific to Intrusion Detection and this list 1: What is Intrusion Detection? Intrusion Detection is the active process to document and catch attackers and malicious code on a network. It is described in two types of software: Host based software and Network based software. 2: What is the difference between Host based (HIDS) and Network based IDS(NIDS)? HIDS is software which reveals if a machine is being or has been compromised. It does this by checking the files on the machine for possable problems. Software described as host based IDS could include File Integrity checkers (TripWire), Anti-virus software (Norton AV), Server Logs (Event viewer or syslog), and in some ways even backup software can be a HIDS. NIDS is software which monitors network packets and examines them against a set of signatures and rules. When the rules are violated the action is logged and the Admin could be alerted. Examples of NIDS software are SNORT, ISS Real Secure, and Network Flight Recorder. 3: Who is Stephen Entwisle and why does he send a newsletter every week? Stephen works for Security Focus. He worked as a moderator and editor of different announcements. The weekly newsletter is a summary of vulnerabilities and security papers announced that week. It is convenient to have the newsletter to keep up with the latest security issues without having to check every day. 4: Who are the 31173 on this list? Dug Song: Security expert who wrote the tool fragrouter and runs monkey.org. Robert Graham:CTO of the networkICE (Bought by ISS) Wrote great FAQs. Martin Roesch: Author of SNORT Max Vision: Runs www.whitehats.com. Keeps a database of attack signature information known as arachNIDS. Marcus Ranum: CTO of Network Flight Recorder (one of the bets known NIDS). See his offical bio here Ron Gula: A large contributor to SNORT and CTO of Dragon NIDS. He also has an offical bio here 5: I see snippets of output like:
Jan 26 12:43:01 207.236.111.23:49658 -> MY.SUB.NET.1:56023 UDP Jan 26 12:43:01 207.236.111.23:49658 -> MY.SUB.NET.1:56034 UDP Jan 26 12:43:01 207.236.111.23:49658 -> MY.SUB.NET.1:56035 UDP
What is this output from? As a whole, this is the type of output you will examine with a Network Intrustion Detection System. The above lines could have been taken from a network sniffer like TCPDUMP or from a NIDS like SNORT. Once you understand the basics about reading network sniffer ouptut, you can communicate with others about odd network traffic and understand the output above. 6: I always see Snort being mentioned. Is it the most popular NIDS? It is very popular for a few reasons: 1) The author of the program reads and replies to this list (See who are the 31173 question) 2) It is constantly improving from it's user feedback and the author's persistence. 3) It has both UNIX/Linux and Windows versions. 4) It's FREE! Is it the top of the line NIDS? No. It is however a very good tool to get started with NIDS. It has a serious place in any production network. 7: What tools can be used for building packets? hping isic Trinux a floppy distro of Linux, contains the above tools plus more. 8: What are some personal IDS/firewalls? While they don't fit into the enterprise class of IDS, there are several programs that can provide firewall and IDS services for a single user/pc. Here are a few: Black Ice Defender Symantec Personal Firewall McAfee Firewall V2.1 ZoneAlarm 9: Where can I find a list of Inrusion Detection Systems? http://www.networkintrusion.co.uk 10: How can I test my IDS? We suggest the following steps: 1) Place the NIDS on a test network with a hub and a separate server. 2) Run the tool Nessus against the separate server. 3) When Nessus is done, what attacks did it detect ? If it did not detect all the attacks does the NIDS have the latest signatures ? Can you write your own rules for the NIDS to catch the attack ? 4) After the tests with Nessus, then run the packet building tools. Make various illegal packets and aim them at the separate server. Does it detect the packets ? Also use frgroutr against it to see how it handels fragmented packets. 5) Repeat steps 2 - 4 against the NIDS machine. 6) Harden the NIDS to help prevent it from being compromised. 7) Place it on the production network and see how many false positives it gets. 8) Tune it down from the false positives. 9) As new vunerabilities occur, update the Nessus signatures and test to see if the NIDS catches them. Here are a few tools. NIDSbench IDSwakeup 11: What is a false positive? Most IDS use signatures to compare against attacks. Sometimes normal activity triggers the IDS. The IDS detects an attack signature during normal activity. Part of maintaining the IDS is knowing when what you are dealing with is a false positive and tuning the IDS to avoid them. 12: What is a false negative? Most IDS use signatures to compare against attacks. Sometimes attack activity doesn't trigger the IDS. 13: Why do discussions on Intrusion Detection seem to have a bias towards Linux / UNIX ? It is mainly due to the tools available. Many great tools are free for Linux / UNIX. (See the question on the top 50 tools) Some of those tools have ports for Windows, but the Windows versions usually are an after thought.
Copyright © 1996-2008 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
Standard disclaimer: The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.
Created: May 16, 1997; Last modified: June 05, 2008