Re: Nagios

[Daniel Reich <me () danielreich com>]

Depending on how you configure Nagios and more specifically what you monitor
with Nagios I have found that you can use it to detect anomalous behaviour.  In
specific, I have setup Nagios to monitor the health of the OS.  I took it one
step further in that I keep track of the states of health.

For example, you can use some of the built in plugins to monitor the load of a
system.  However, there are probably scenarios in which you have machines
backed up at 2AM where the load spikes.  (Yes, I think backing up through a
firewall is not such a great idea but people still do it)  Most people would
simply tune the the load average up to the peak load in a given day.  What I
have done is sample the data on an hourly basis for a week (I keep it all
stored in a database).  So now I can monitor the system load more closely
during the day.

I did recently encounter a case where a users'laptop was sending a rather large
amount of traffic through a firewall.  Turns out it was trojaned (probably when
the user took the laptop home or who knows).  The point here is that the
symptom  that I saw on the firewall was the abnormally high load average. When
I dug into why the load was high, I noticed the traffic spike from one machine.

One could argue that a NIDS box would have picked this up.  However, I will
point out that NIDS requires that a signature be in place to detect this.  In
the scenario above, this was something new and was not being detected by the
NIDS sensors (yet).

Cheers

-dr

Quoting John <seclist () wiresec net>:

> I have used Nagios in production environments. It is a bit cranky
> getting setup but overall works well. I have never used the security
> features mostly just used for monitoring hosts.
>
>
> On Thursday, Jun 5, 2003, at 16:16 US/Central, Jennifer Fountain wrote:
>
> > Does anyone have an opinion on Nagios?  They say it can use snort and
> > it
> > has it's own IDS functions to detect certain traffic.  I am wondering
> > if
> > this is a good product or just hype.
> > Thanks!
> >
> > Cheers,
> > Jenn
> >
> >
> > -----------------------------------------------------------------------
> > --------
> > INTRUSION PREVENTION: READY FOR PRIME TIME?
> >
> > IntruShield now offers unprecedented Intrusion IntelligenceTM
> > capabilities
> > - including intrusion identification, relevancy, direction, impact and
> > analysis
> > - enabling a path to prevention.
> >
> > Download the latest white paper "Intrusion Prevention: Myths,
> > Challenges, and Requirements" at:
> > http://www.securityfocus.com/IntruVert-focus-ids2
> > -----------------------------------------------------------------------
> > --------
-------------------------------------------------------------------------------
> Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
> world's premier technical IT security event! 10 tracks, 15 training sessions,
> 1,800 delegates from 30 nations including all of the top experts, from CSO's
> to
> "underground" security specialists.  See for yourself what the buzz is about!
> Early-bird registration ends July 3.  This event will sell out.
> www.blackhat.com
-------------------------------------------------------------------------------
>



-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------