4

After reading what Metasploit is able to do my grey hairs got even more.

From my understanding current attack methods are being done without tampering with any file in a filesystem - thus rendering file based HIDS useless.

So my idea was: What about the blacklist-approach? Is there an (OpenSource) IDS tool out there that just monitors what is going on in the system (e.g. looks at ps output) and sounds an alarm if something strange is going on there (e.g. a httpd child forking a shell)?

Nils
  • 121
  • 7
  • As with many such things the engines are available but crafting and updating signatures / configurations is labour-intensive ... people pay for this stuff :) – adric May 01 '12 at 20:35

3 Answers3

3

Whitelisting is considered good practice. Blacklisting is known to always be an "after the facts method" which leaves your system vulnerable. A bit of a linux admin can setup SELinux or Apparmor. There are a lot of docs and tutorials available about it. They are not extremely complex imo, you just need to be willing to learn it.

There are HIDS available like OSSEC that allow you to implement such rules (with some additional scripting). I use it on all my Linux machines as well, but it doesn't replace apparmor or SELinux even remotely.

It may sound a bit rude, but if you want security, you can't be lazy.

Lucas Kauffman
  • 54,229
  • 17
  • 113
  • 196
  • I disliked SELinux after it kept blocking SNMPD from writing to its own log (CentOS 5). The possible attack-vectors are very small in my systems - web server frontend and application server frontend are the places I am worried about. The defined "normal" behaviour is very easy to describe for these. – Nils Apr 19 '12 at 19:25
  • I just read a little bit on the OSSEC page - this seems to be pretty much like `logwatch` plus `fam/aide/samhain/beltane`. I did not find a reference to watch for unusual process patterns though. Can you provide me a pointer to that, please? – Nils Apr 19 '12 at 20:13
  • `0x3A28213A` - sorry, couldn't resist! – Polynomial Apr 30 '12 at 16:02
  • @Polynomial hey - you are triggering a segfault! Is OSSEC the way to go? – Nils Apr 30 '12 at 20:26
3

Yes, there are IDS's which carry out not only pattern-matching (known bad behaviour) but also heuristic analysis (looks like bad behaviour, or doesn't look like good behaviour)

As a layer, they are extremely useful, as they may find new types of attack, however they require a lot of tuning, will not spot attacks which change slowly over long periods of time and can provide a lot of false positives.

If security is key to you, seriously look at whitelisting - it can reduce your risk significantly - and the two you mention aren't that complex to maintain.

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
  • If you say so. I have attended some advance linux courses with trainers that had many years of real-world experience. They all said that SELinux/Apparmor are too complex to maintain on more than a couple of servers. – Nils Apr 19 '12 at 20:08
  • I still think that blacklisting is more easy to maintain in my scenario - have you got some pointers to heuristic process analysis HIDS systems? – Nils Apr 19 '12 at 20:15
  • Blacklisting is the easiest, but also leaves the highest risk. Whitelisting leaves a very low level of risk. The main IDS vendors offer heuristics - even Snort can be configured to use statistical anomaly alerting. – Rory Alsop Apr 19 '12 at 23:36
  • Snort is network based. Is there nothing like an IDS based on process patterns (HIDS) that reacts like the OOM-killer (killing malicious sub-processes)? That would even lead to a process-based HIPS... – Nils Apr 20 '12 at 20:26
3

I think the best way to answer your question is to encourage you to ask a different question.

You seem to have assumed that the best way to defend against security problems is using an IDS. I understand why you might have made that assumption, given the hype surrounding IDSs. But actually, that assumption is not valid: IDSs are not the best way to protect your system, and I would not recommend relying upon an IDS as your primary line of defense. The best way to protect your system involves several defenses, such as hardening your system, turning on automatic software updates, enabling a firewall, and using good practices.

Here are some resources for protecting your Linux machine:

They should provide you a bunch of pointers where you can learn more.

D.W.
  • 98,860
  • 33
  • 271
  • 588
  • True - we already have these lines of Defence in place. The strongest line is IMO a good WAF. But I do care about the - what if they break into the last line of defence - how will I be alerted about that? – Nils Apr 19 '12 at 20:04