Re: Info HIDS

[captgoodnight () acsalaska net]

On Thursday 08 July 2004 03:21 am, Carlos H wrote:
> Hello list,
>
> recently I have been deployment a DMZ.  I'm trying to install and
> configure an HIDS (tripwire) to get intrusion's information about a Web
> Server (WebServer1).
>
> Looking on Tripwire's manual i found that is necesary (i`m not really
> sure!!!) that Tripwire run on the same machime to be monitored.  I mind,
> Tripwire must be installed on WebServer1.  That is not good for me!  The
> question is: Exist another way to configure Tripwire (or other HIDS)
> looking for detecting a remote host? Is possible to install Tripwire in
> a diferent host to WebServer1?
>
> Carlos H.

Not sure if my method applies, but on my honeypots, I use tripwire binaries from a 
CDR; activated by cron. Reports picked up internally via pop3s. A pattern of retrieval/activation
becomes obvious, thus a tell all to suspicious activity. Timing between the machines should be 
kept aligned too (ntpd); small window.  Ssh could also be used instead of cron/pop3s.
CDRs are a good way to keep binaries honest, chkrootkit is also used from the CDR.

I know there's holes in this method, I do only run light weight honeypots though. Not a honeynet.


Just a thought.
cg


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------