WebApp Sec mailing list archives
Re: Intrusion Detection
From: "David Ryan" <dave.ryan () gmail com>
Date: Wed, 12 Jul 2006 01:52:25 +0200
On 7/11/06, Daniel Cid <danielcid () yahoo com br> wrote:
[snip] *Ok, now some propaganda. I think ossec is the only system that does all the three aspects I mentioned about host-based intrusion detection. It analyses your logs in *real time (very closed to it at least), it does rootkit detection and file integrity checking. All these information is stored on an outside box and the communication between the server and the "agents" (which you install on every box you want to monitor) is done with compression and encryption.
Intrusion detection tools (host/network, passive/active, etc) are a dime a dozen. There are many commercial and open source option (my current bias). Some good, some bad, some already mentioned, none perfect. However, these tools can give different levels of visibility; but the obvious problem, as has been pointed out, is how to make sense out of all of that information? Analysing logs can be a pain, especially when there are so many different types of file formats, ranging from semi-standardised to down right disgusting. One attempt to solve this problem, to a certain degree, has been the introduction of a common message exchange protocol, i.e. the Intrusion Detection Message Exchange Format Protocol (IDMEF). This aims to abstract event messages into a common format that can then be communicated and analysed between disparate tools/frameworks. I'm not quite sure what the current status is, but last I observed on the mailing list was a move from IETF draft into RFC Experimental (I think). There are a number of open source and commercial tools supporting this protocol, but sadly it seems like a number of the "big vendors" have not done so (for whatever reason, I'm sure there are likely to be many objective and subjective points of view) Log analysis can mean many things, of course. Simply using signatures in snort, or tailing syslogs with logwatcher are options, but they don't scale well and, more importantly, don't give an objective view of the event profile of an environment. Enter event correlation. Buzz word? Research topic? That depends on who you're talking to! In my limited experience, this is certainly an area of fascinating and active research, with many different approaches and currently no "right way". However, automating the correlation of events from disparate systems and then classifying them as intrusions is something that, no doubt, we would all like to have :) One interesting research project, which is no longer active (to my knowledge), is STAT (http://www.cs.ucsb.edu/~rsg/STAT/), which used state models to observe attack scenarios within a system (note: system here does not mean an operating system, we could consider the entire network as a system). Code is available on the site, but I must admit I never quite got past the theoretical aspects of it - wonderful reading material :) A usable framework I am quite fond of is Prelude IDS (http://www.prelude-ids.org). Prelude supports IDMEF and provides a framework for knitting a number of existing tools together (e.g. snort, samhain, pam, libsafe, more) and has a great generic parser (prelude-lml) for converting log formats into IDMEF, which can then be fed into the Prelude framework. This is done using regexes to parse different formats, e.g. apache, mod_security, pix logs, ... log format not listed? Write your own regex and corresponding ruleset. There's also a commercial plugin for feeding in nessus results - active source of knowledge. Whilst there is event aggregation (what most vendors sell as "correlation", or so I thought last time I checked), I think the current weak point is the approach to event correlation. However, recent endeavours with SEC integration (http://www.estpak.ee/~risto/sec/) and continuing development plans of their own correlation engine, make this an interesting and compelling project to follow/try-out. Incidentally (may seem obvious), I've deployed prelude in a production environment and was quite happy with the results - making sense of digital tons of IDS and general application log data, via a single framework, was a big help. YMMV, of course. Another project knocking about is OSSIM (http://www.ossim.net/). </verbalDiahorrea> Just some things to think about, for those of you considering your options. Cheers, Dave. ------------------------------------------------------------------------- Sponsored by: WatchfireCross-Site Scripting (XSS) is one of the most common application-level attacks that hackers use to sneak into web applications today. This whitepaper will discuss how traditional CSS attacks are performed, how to secure your site against these attacks and check if your site is protected. Cross-Site Scripting Explained - Download this whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr --------------------------------------------------------------------------
Current thread:
- DMZ and critical data Pedro Henrique Morsch Mazzoni (Jul 08)
- Re: DMZ and critical data 蓝牙 (Jul 09)
- RE: DMZ and critical data Brian J. Bartlett (Jul 09)
- Re: DMZ and critical data Mohammad Ali Sarbanha (Jul 09)
- Intrusion Detection David Robert (Jul 09)
- Re: Intrusion Detection Ivan Ristic (Jul 10)
- Re: Intrusion Detection Jamie Riden (Jul 10)
- Re: Intrusion Detection Daniel Cid (Jul 11)
- Re: Intrusion Detection David Ryan (Jul 12)
- Re: Intrusion Detection skarvin (Jul 12)
- <Possible follow-ups>
- Re: DMZ and critical data sarbanha (Jul 09)
- Message not available
- Re: DMZ and critical data Ken Adler - QDSP, CISSP, PMP, CISA (Jul 09)
- Message not available