WebApp Sec mailing list archives

Re: Intrusion Detection

From: "David Ryan" <dave.ryan () gmail com>
Date: Wed, 12 Jul 2006 01:52:25 +0200

On 7/11/06, Daniel Cid <danielcid () yahoo com br> wrote:

[snip]
*Ok, now some propaganda. I think ossec is the only
system that does all the three aspects I mentioned
about host-based intrusion detection. It analyses
your logs in *real time (very closed to it at least),
it does rootkit detection and file integrity checking.
All these information is stored on an outside box and
the communication between the server and the "agents"
(which you install on every box you want to monitor)
is done with compression and encryption.


Intrusion detection tools (host/network, passive/active, etc) are a
dime a dozen. There are many commercial and open source option (my
current bias). Some good, some bad, some already mentioned, none
perfect. However, these tools can give different levels of visibility;
but the obvious problem, as has been pointed out, is how to make sense
out of all of that information?

Analysing logs can be a pain, especially when there are so many
different types of file formats, ranging from semi-standardised to
down right disgusting. One attempt to solve this problem, to a certain
degree, has been the introduction of a common message exchange
protocol, i.e. the Intrusion Detection Message Exchange Format
Protocol (IDMEF). This aims to abstract event messages into a common
format that can then be communicated and analysed between disparate
tools/frameworks. I'm not quite sure what the current status is, but
last I observed on the mailing list was a move from IETF draft into
RFC Experimental (I think). There are a number of open source and
commercial tools supporting this protocol, but sadly it seems like a
number of the "big vendors" have not done so (for whatever reason, I'm
sure there are likely to be many objective and subjective points of
view)

Log analysis can mean many things, of course. Simply using signatures
in snort, or tailing syslogs with logwatcher are options, but they
don't scale well and, more importantly, don't give an objective view
of the event profile of an environment. Enter event correlation.

Buzz word? Research topic? That depends on who you're talking to! In
my limited experience, this is certainly an area of fascinating and
active research, with many different approaches and currently no
"right way". However, automating the correlation of events from
disparate systems and then classifying them as intrusions is something
that, no doubt, we would all like to have :)

One interesting research project, which is no longer active (to my
knowledge), is STAT (http://www.cs.ucsb.edu/~rsg/STAT/), which used
state models to observe attack scenarios within a system (note: system
here does not mean an operating system, we could consider the entire
network as a system). Code is available on the site, but I must admit
I never quite got past the theoretical aspects of it - wonderful
reading material :)

A usable framework I am quite fond of is Prelude IDS
(http://www.prelude-ids.org). Prelude supports IDMEF and provides a
framework for knitting a number of existing tools together (e.g.
snort, samhain, pam, libsafe, more) and has a great generic parser
(prelude-lml) for converting log formats into IDMEF, which can then be
fed into the Prelude framework. This is done using regexes to parse
different formats, e.g. apache, mod_security, pix logs, ... log format
not listed? Write your own regex and corresponding ruleset. There's
also a commercial plugin for feeding in nessus results - active source
of knowledge. Whilst there is event aggregation (what most vendors
sell as "correlation", or so I thought last time I checked), I think
the current weak point is the approach to event correlation. However,
recent endeavours with SEC integration
(http://www.estpak.ee/~risto/sec/) and continuing development plans of
their own correlation engine, make this an interesting and compelling
project to follow/try-out.

Incidentally (may seem obvious), I've deployed prelude in a production
environment and was quite happy with the results - making sense of
digital tons of IDS and general application log data, via a single
framework, was a big help. YMMV, of course.

Another project knocking about is OSSIM (http://www.ossim.net/).

</verbalDiahorrea>

Just some things to think about, for those of you considering your options.

Cheers,
Dave.

-------------------------------------------------------------------------
Sponsored by: Watchfire

Cross-Site Scripting (XSS) is one of the most common application-levelattacks that hackers use to sneak into web applications today. Thiswhitepaper will discuss how traditional CSS attacks are performed, how tosecure your site against these attacks and check if your site is protected.Cross-Site Scripting Explained - Download this whitepaper today!


https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr
--------------------------------------------------------------------------

Current thread:

DMZ and critical data Pedro Henrique Morsch Mazzoni (Jul 08)
- Re: DMZ and critical data 蓝牙 (Jul 09)
- RE: DMZ and critical data Brian J. Bartlett (Jul 09)
  - Re: DMZ and critical data Mohammad Ali Sarbanha (Jul 09)
- Intrusion Detection David Robert (Jul 09)
  - Re: Intrusion Detection Ivan Ristic (Jul 10)
  - Re: Intrusion Detection Jamie Riden (Jul 10)
  - Re: Intrusion Detection Daniel Cid (Jul 11)
    - Re: Intrusion Detection David Ryan (Jul 12)
  - Re: Intrusion Detection skarvin (Jul 12)
- <Possible follow-ups>
- Re: DMZ and critical data sarbanha (Jul 09)
  - Message not available
    - Re: DMZ and critical data Ken Adler - QDSP, CISSP, PMP, CISA (Jul 09)