Understanding IDS for Linux

Pedro discusses the different types of intrusion detection systems and shows how to create signatures to identify attacks.

Tripwire is an example of an HBIDS for Linux [see Michael Rash's Paranoid Penguin, LJ February 2002 for an open-source alternative to Tripwire]. It can be identified as an HBIDS because it fills in for the lack of file-integrity detection tools. With Tripwire, the user can define, in a configuration file, a set of files that he or she wishes to protect against changes, and then Tripwire uses a checksum of these files and attributes. In the case of any changes, it can send alerts to the system administrator. The default configuration file provides a good starting point, but the user also must customize it to reduce the chance of false positives. Pay special attention to the log files. It doesn't make sense to include the log files into the set of files that you select to be checked, since you know that they will grow as soon as any event happens, such as a login.

Tripwire can be used together with the cron scheduler dæmon. In this mode, users can automatize the process and define wherever they want to run it.


PortSentry [see also “PortSentry” by Anthony Cinelli on the LJ web site, /article/4751] is part of the Abacus Project, from Psionic Software, whose goal is to “produce a suite of tools to provide host-based security and intrusion detection free to the internet community”. It is an important kind of HBIDS because it detects packets addressed to the host and can be used with TCP Wrappers and iptables. This type of detection is useful because a port scan is often a precursor to an attack. PortSentry can detect TCP and UDP port scans, making you aware of other hosts that run a service in the scanned port. The next step is to verify for new patches or updates, or even configure it to create ACLs (access control lists) to block future connections from the host scanner, using TCP Wrappers. It also can create rules in the firewall, i.e., iptables, to drop everything from the host scanner. The following is an example of PortSentry alerts from Syslog:

Dec 9 03:03:17 mobile portsentry[701]: attackalert:
  TCP SYN/Normal scan from host: to TCP port: 111
Dec 9 03:03:17 mobile portsentry[701]: attackalert:
  Host has been blocked via wrappers
  with string: "ALL:"
Dec 9 03:03:18 mobile portsentry[701]: attackalert:
  Host has been blocked via dropped
  route using command: "/sbin/iptables -I
  INPUT -s -j DROP"

Swatch is a log watcher that observes the logs and alerts the security administrator about predefined strings found in the log file, i.e., /var/log/messages. In the example below, I created a very simple Swatch configuration file and chose to define the strings “snort” and “portsentry” and send the alert to screen in different colors (and with a beep) every time that it finds these strings:

watchfor /snort/
echo red
watchfor /portsentry/
echo blue

I also could ask Swatch to send an e-mail or execute a command when it finds something. As the result of the previous Swatch config file, I received these alerts:

Dec 9 03:22:53 flamengo snort[3268]: [1:1256:2]
  WEB-IIS CodeRed v2 root.exe access [Classification:
  Web Application Attack] [Priority: 1]:
  {TCP} ->
Dec 9 03:03:17 mobile portsentry[701]: attackalert:
  TCP SYN/Normal scan from host: to TCP port: 111


LIDS stands for Linux intrusion detection system. It is a project that tries to give Linux some extra security features deployed as kernel patches. In these features we can include file and process protection and port-scan detection. The first two deserve a little more explanation. File and process protection will guard even against root superuser changes. This is very useful because when a cracker exploits a bug in your system, such as a buffer overflow, that person will have root access that permits him or her to do almost anything, such as install rootkits, change logs, erase your HTML pages, etc. With these features you can define ACLs to control files and include passwords to access/change them, avoiding changes from unauthorized users, even root. The same is valid for process because it will protect your system from altered binaries/dæmons. Another good feature is that it offers a port-scan detector in kernel space.


Network intrusion detection systems are the kind of IDSes responsible for detecting attacks related to the network. One point of discordance is where it should be deployed. You may encounter network topology where it is before a firewall, and you may find it after a firewall. As I said before, there are good arguments for both; it depends on your needs. In these examples I will use the open-source Snort.