Understanding IDS for Linux

Pedro discusses the different types of intrusion detection systems and shows how to create signatures to identify attacks.
Tripwire

Tripwire is an example of an HBIDS for Linux [see Michael Rash's Paranoid Penguin, LJ February 2002 for an open-source alternative to Tripwire]. It can be identified as an HBIDS because it fills in for the lack of file-integrity detection tools. With Tripwire, the user can define, in a configuration file, a set of files that he or she wishes to protect against changes, and then Tripwire uses a checksum of these files and attributes. In the case of any changes, it can send alerts to the system administrator. The default configuration file provides a good starting point, but the user also must customize it to reduce the chance of false positives. Pay special attention to the log files. It doesn't make sense to include the log files into the set of files that you select to be checked, since you know that they will grow as soon as any event happens, such as a login.

Tripwire can be used together with the cron scheduler dæmon. In this mode, users can automatize the process and define wherever they want to run it.

PortSentry

PortSentry [see also “PortSentry” by Anthony Cinelli on the LJ web site, /article/4751] is part of the Abacus Project, from Psionic Software, whose goal is to “produce a suite of tools to provide host-based security and intrusion detection free to the internet community”. It is an important kind of HBIDS because it detects packets addressed to the host and can be used with TCP Wrappers and iptables. This type of detection is useful because a port scan is often a precursor to an attack. PortSentry can detect TCP and UDP port scans, making you aware of other hosts that run a service in the scanned port. The next step is to verify for new patches or updates, or even configure it to create ACLs (access control lists) to block future connections from the host scanner, using TCP Wrappers. It also can create rules in the firewall, i.e., iptables, to drop everything from the host scanner. The following is an example of PortSentry alerts from Syslog:

Dec 9 03:03:17 mobile portsentry[701]: attackalert:
  TCP SYN/Normal scan from host:
  200.185.61.132/200.185.61.132 to TCP port: 111
Dec 9 03:03:17 mobile portsentry[701]: attackalert:
  Host 200.185.61.132 has been blocked via wrappers
  with string: "ALL: 200.185.61.132"
Dec 9 03:03:18 mobile portsentry[701]: attackalert:
  Host 200.185.61.132 has been blocked via dropped
  route using command: "/sbin/iptables -I
  INPUT -s 200.185.61.132 -j DROP"
Swatch

Swatch is a log watcher that observes the logs and alerts the security administrator about predefined strings found in the log file, i.e., /var/log/messages. In the example below, I created a very simple Swatch configuration file and chose to define the strings “snort” and “portsentry” and send the alert to screen in different colors (and with a beep) every time that it finds these strings:

watchfor /snort/
echo red
bell
watchfor /portsentry/
echo blue
bell

I also could ask Swatch to send an e-mail or execute a command when it finds something. As the result of the previous Swatch config file, I received these alerts:

Dec 9 03:22:53 flamengo snort[3268]: [1:1256:2]
  WEB-IIS CodeRed v2 root.exe access [Classification:
  Web Application Attack] [Priority: 1]:
  {TCP} 200.31.36.11:2153 -> 200.204.68.154:80
Dec 9 03:03:17 mobile portsentry[701]: attackalert:
  TCP SYN/Normal scan from host:
  200.185.61.132/200.185.61.132 to TCP port: 111

LIDS

LIDS stands for Linux intrusion detection system. It is a project that tries to give Linux some extra security features deployed as kernel patches. In these features we can include file and process protection and port-scan detection. The first two deserve a little more explanation. File and process protection will guard even against root superuser changes. This is very useful because when a cracker exploits a bug in your system, such as a buffer overflow, that person will have root access that permits him or her to do almost anything, such as install rootkits, change logs, erase your HTML pages, etc. With these features you can define ACLs to control files and include passwords to access/change them, avoiding changes from unauthorized users, even root. The same is valid for process because it will protect your system from altered binaries/dæmons. Another good feature is that it offers a port-scan detector in kernel space.

NIDS

Network intrusion detection systems are the kind of IDSes responsible for detecting attacks related to the network. One point of discordance is where it should be deployed. You may encounter network topology where it is before a firewall, and you may find it after a firewall. As I said before, there are good arguments for both; it depends on your needs. In these examples I will use the open-source Snort.

______________________

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix