NETWORK intrusion detection/prevention

Ryan Pugatch rpug-AKf0aY4IwLwC9rEbRqCHog at public.gmane.org
Tue Jun 30 16:54:57 EDT 2009 

Dan Ritter wrote:
> On Tue, Jun 30, 2009 at 04:02:51PM -0400, Tom Metro wrote:
>> ref wrote:
>>> TRipwire annoyed me as it emailed me masses of stuff
>>> everyday about what had NOT changed.
>> When I used Tripwire I also found that it required a lot of maintenance 
>> in order to make it provide useful reports. If you don't keep up with 
>> it, it ends up flooding you with useless reports (reporting the same 
>> changes over and over), which leads to the reports being ignored.
>>
>> Most file system change detection tools work on a model where they set a 
>> baseline and then once they detect a deviation from that baseline, they 
>> email you perpetually until that baseline gets reset. This is the 
>> secure, paranoid way to do it, but not particularly practical.
> 
> It's the only really useful way. There are two tricks:
> 
> - make it easy to reset the baseline
> 	- a single word alias is best
> 
> - map exactly what parts of your filesystems you can ignore
> 	- in particular, you need to have the monitor
> 	  automatically ignore logs, temp files, pidfiles, mail
> 	  spools and user home directories
> 
>> Back when I set up my first Debian system I went looking for something 
>> simpler than Tripwire, and ran across Integrit, and have been using it 
>> ever since, even though it remains fairly obscure. It was easy to set 
>> up, and with a few tweaks to to its cron script, I was able to have it 
>> automatically reset its baseline after changes. This eliminates 
>> maintenance effort, and it only generates reports if there have been 
>> changes since the last change occurred, so most of the time it stays quiet.
> 
> Integrit is pretty good. So is AIDE.
> 
>> Note that although these file system change detection tools are often 
>> promoted as intrusion detection tools, they're actually more beneficial 
>> for routine system administration by providing a record of what system 
>> files changed when. This can be useful if system behavior changes and 
>> you want to track down when a config was modified or when some upgrade 
>> changed a shared library.
> 
> Though there are three better tools:
> 
> - keep your configurations in a version control system
> - and/or keep snapshots of your configurations (or whole
>   filesystems)
> - look in your OS package installation log (/var/log/dpkg, for
>   instance)
> 
> -dsr-
> 

I probably should have included 'network' in the subject line for when 
the thread progressed. I am looking at solutions for network intrusion 
detection (i.e. Snort) rather than something for an individual system. 
I appreciate these suggestions though.



-- 
Ryan Pugatch
Systems Administrator, TripAdvisor

More information about the Discuss mailing list