Re: Host Based IDS Recommendations

[Krzysztof Zaraska <kzaraska () student uci agh edu pl>]

On Sat, 20 Dec 2003, Maarten Van Horenbeeck wrote:

> While a different approach, many host-based Intrusion Prevention Systems
> also generate an important deal of logging which is extremely useful from
> an HID point of view.  On many systems, I tend to run software such as the
> grsecurity patches (on Linux kernels), which can be configured in such a
> way to log a syslog event on somewhat suspicious traffic.
>
> An example:
> Dec  3 05:05:11 shiva kernel: grsec: attempted resource overstep by
> requesting 1024 for RLIMIT_NOFILE against limit 1024 by (initlog:27874)
> UID(0) EUID(0), parent (S55sshd:15305) UID(0) EUID(0)
>
> You will have to write some custom log parsers yourself, and develop a
> secure log transportation mechanism, as syslog may become unreliable
> immediately after compromise, before these log entries are actually of
> use.  

No need to reinvent the wheel, as that's an exact description of the
functionality we've had in Prelude for almost two years now :-)  Prelude
LML can parse logs basing on regexp-based rulesets (grsec ruleset written
by grsec author himself), create messages in common format and send them
over an SSL'd link to a remote host. Oh, and it can run as syslog server
as well, not only read the local files...

// Krzysztof Zaraska * kzaraska (at) student.uci.agh.edu.pl
// http://mops.uci.agh.edu.pl/~kzaraska/ * http://www.prelude-ids.org/
// A dream will always triumph over reality, once it is given the chance.
//              -- Stanislaw Lem




---------------------------------------------------------------------------
---------------------------------------------------------------------------