Re: Host Based IDS Recommendations

[Maarten Van Horenbeeck <maarten () daemon be>]

Hi,

In the field of HIDS, I have had some very good experiences with
Symantec's Host IDS.  In real-life use, it has shown to be a very
trustworthy system, and has grown to be very reliable.  Another exquisite
system, though more limited in scope, is Tripwire.

While a different approach, many host-based Intrusion Prevention Systems
also generate an important deal of logging which is extremely useful from
an HID point of view.  On many systems, I tend to run software such as the
grsecurity patches (on Linux kernels), which can be configured in such a
way to log a syslog event on somewhat suspicious traffic.

An example:
Dec  3 05:05:11 shiva kernel: grsec: attempted resource overstep by
requesting 1024 for RLIMIT_NOFILE against limit 1024 by (initlog:27874)
UID(0) EUID(0), parent (S55sshd:15305) UID(0) EUID(0)

You will have to write some custom log parsers yourself, and develop a
secure log transportation mechanism, as syslog may become unreliable
immediately after compromise, before these log entries are actually of
use.  However, this is more than worth it, especially if you consider the
fact that this software is often not all that pricy (this specific example
is even free).

Best regards,
Maarten

--
Maarten Van Horenbeeck
maarten () daemon be

---------------------------------------------------------------------------
---------------------------------------------------------------------------