Re: [SLUG] IDS presentation tonight

From: Robert Foxworth (rfoxwor1@tampabay.rr.com)
Date: Wed Mar 19 2003 - 09:57:21 EST


> On Thu, 2003-03-13 at 19:45, William Coulter wrote:
> > Would someone post their notes on the IDS presentation. I can't make
it. Thanks
>
> I'll try to make the presentation available on the web in the next day
> or two. Poke me if you don't see it come up soon.

SLUG IDS presentation by Derek Glidden 12 March 2003

Derek gave a good general rundown of intrusion detection
issues, then commented on Snort in particular. I just
took notes on specifics of interest to me, this is by no
means a full rundown on the talk. I did not take notes on
basic items I was familiar with. Interested persons are
referred to, for example, major bookstores where quite a
few CompSec books can be found. Rootkits and exploits
were NOT discussed during the talk.Some of my notes
were of spoken items not appearing on the slide show.

Snort evolving to Sourcefire. Marty Rolle involved.
Example of detect string:
alert TCP $ext any -> $local 80 (content: "10101101")
Anomaly - no signature. CylantSecure LKM commercial|eval
versions.

Snort has text config. Preprocessor. IP defrag - stream
reassy - stateful inspection - HTTP unicode detect -
BackOrifice detect - portscan detect - ARPspoof detect -
other decodes. Defrag of normal traffic. Output processor:
syslog - tcpdump - database - XML - unified log format -
SNMP trap monitor - SMB messaging.

Snort is not a notification system. Rules: multiple
alert categories. Priority level of alerts. Can
fingerprint any part of the packet e.g. header flags,
port number, payload. Disadvantage: No notification,
no GUI, need for text editor to configure (ed note:
disadvantage if you don't like text editors, I myself
believe this is a Good thing). Hard to "effectively"
configure.

Configure to see all traffic. Each install is specific.
Idea is to: enable all, then pare down. Need to know
what you are looking for. Value? of having "uninformative"
alerts. Config process is iterative.

Commercial tools: Demarc //www.demarc.com; Sourcefire
//www.sourcefire.com; Barnyard //www.snort.org is a
log processor; Acid //www.cert.org/kb/aircert is a web
based PHP rules manager to analyze alerts; SnortCenter
//users.pandora.be/larc (link may be incomplete)

File Intrusion Detection (FIDS) Tripwire, Freeveracity,
AIDE, Samhain, Integrit (last three are free). Monitor
file checksums, inode, permissions, size, last access.
Create crypto signatures, compare to known state.
Lots of output, hard to configure. Tripwire is commercial,
the GPL version is not supported. Freeveracity is free,
not GPL, simple config, fast, no longer supported.
Aide is perl-based, simple, open source. See //cs.tut.fi
Samhain is open source, current, maintained. LKM rootkit
detect; stealth. //la-samhna.de/samhain/

Integrit - OS - maintained, simple, local filesystem.
//integra.sourceforge.net Small, speedy, crypto db,
many output formats, simple to build. File checksums,
inode; reset the ctime. Negative: lots of filesystem
activity, slow disk, intensive compute work, have to
secure a huge database. Config make check and update
separate tasks. Update all data files on system. Check
only the important things. GPG-sign your known-good
smapshots > CD-RW. Use similar plan for backup. Config
of a FIDS is iterative, like NIDS. Demo: install
locally - known db of all files. Check just the important
things like /usr /bin /sbin, ignore things like /home
/var /opt /proc

Hogwash: user daemon to replace IP stack. Snort inline:
talk to iptables, you can tell it to block an IP if you
see a portscan from it.

Barnyard: parse snort logs - put task in cron, send
output to stdout.

----
Hope this is helpful to you. Any errors or omissions
are mine. Bob



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 17:04:40 EDT