Intrusion Detection Systems (IDS)

Introduction

This document is a place-holder for documentation relating to IDS.

Tiger

From the Debian package description:

TIGER, or the 'tiger' scripts, is a set of Bourne shell scripts, C programs and data files which are used to perform a security audit of UNIX systems. TIGER has one primary goal: report ways 'root' can be compromised.

Filesystem not recognised

Tiger reports containing lines similar to the following are caused by Tiger not recognising the filesystem type:

    --CONFIG-- [con010c] Filesystem 'squashfs' used by '/mnt/foo.squashfs' is not recognised as a valid filesystem

This can be ignored by amending the following entry in /etc/tiger/tigerrc:

    Tiger_FSScan_Local=''       # Filesystems considered to be local to the system, pipe-separated

and add the file system to the pipe-separated list as needed.

    Tiger_FSScan_Local='squashfs'       # Filesystems considered to be local to the system, pipe-separated

World Writable Files

Tiger is likely to report /dev/log as being world writable. AFAIK this is OK.

See the man documentation for syslogd for details of why this is so, and some suggestions for protecting against a potential denial-of-service attack.

There is also an issue where an attacker can spoof services writing to the system log. Any user can write whatever they want to the log via this socket.

Logcheck

Logcheck helps check your log files. It scans a variety of log files, reporting any anomalies. It does this by filtering out everyday log entries using a series of regular expressions. Any log entries that are not filtered out are sent to the administrator by email. The net result is that you get a relatively concise report of any unusual activity.

Most Debian packages install a Logcheck filter appropriate for that package. Where you start receiving Logcheck reports for log entries you are not interested in, you simply add a regular expression to the configuration files.

This package is trivial to install and setup. Highly recommended.

-- Frank Dean - 07 Sep 2009

Integrit

Integrit helps alert you when an intruder has modified your system.

It does this by maintaining a database of checksums of any files on your system that you wish to monitor.

When installed on Debian (e.g. Debian 5.0 Lenny) you must edit the configuration file before Integrit starts working. An example configuration file is supplied which can be implemented fairly readily by un-commenting example entries. It is highly recommended to read the documentation, but still a fairly easy package to install, configure and use.

Integrit maintains a 'known' database and a 'current' one. Each time Integrit is run, 'current' is updated to reflect the current system. Integrit reports any inconsistencies between files in 'current' and 'known'. Ideally, you should keep the 'known' database somewhere safe. When you make changes to the system, you can manually update 'current' by running /etc/cron.daily/integrit. Once you are satisfied the contents of current are correct, copy 'current' to replace the old 'known'.

If you can't keep 'known' somewhere an intruder cannot modify it, you can keep a record of the checksum of 'known' and manually check it has not been modified using checksums. Only replace 'known' with 'current' when you are satisfied that both files could not have been altered by an intruder.

Integrit used to use MD5 for checksums of the database, but now uses RMD160. One way of obtaining the RMD160 values of the databases is to install the openssl package and run the following command:

   # openssl rmd160 /var/log/integrit/*

-- Frank Dean - 07 Sep 2009

Network Monitoring

This following are a list of network monitoring tools:

See also:

ntop

ntop gives a summary of network usage and displays the results in a browser.

This package is very useful for seeing where your bandwidth is being used. It can be configured to show a summary of usage by each port or port combination and by client/host.

It is reasonably easy to install and configure.

-- Frank Dean - 07 Sep 2009

Web Server Log Analysis

Whilst not directly associated with intrusion detection, statistical analysis of your server logs may help throw up anomalies.

Resources


-- Frank Dean - 03 Jul 2007

Related Topics: ApacheHints, LinuxHintsAndTips,