1 / 32

The Next Stage in Linux IDS - Prelude-IDS and Auditd

The Next Stage in Linux IDS - Prelude-IDS and Auditd. Presented By Gary Smith.

dacian
Download Presentation

The Next Stage in Linux IDS - Prelude-IDS and Auditd

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Next Stage in Linux IDS - Prelude-IDS and Auditd Presented By Gary Smith

  2. An Intrusion Detection System (IDS) is software and/or hardware designed to detect unwanted attempts at accessing, manipulating, and/or disabling of computer systems, mainly through a network, such as the Internet, for example. These attempts may take the form of attacks, as examples, by hackers, malware and/or disgruntled employees. What is an Intrusion Detection System (IDS)?

  3. An intrusion detection system is used to detect several types of malicious behaviors that can compromise the security and trust of a computer system. This includes network attacks against Vulnerable services, Data driven attacks on applications, Host based attacks such as privilege escalation, Unauthorized logins and access to sensitive files, And malware (viruses, trojan horses, and worms). What does an IDS do?

  4. An IDS can be composed of several components: Sensors which generate security events, A Console to monitor events and alerts and control the sensors A Central Engine that records events logged by the sensors in a database and uses a system of rules to generate alerts from security events received. There are several ways to categorize an IDS depending on the type and location of the sensors and the methodology used by the engine to generate alerts. In many simple IDS implementations, all three components are combined in a single device or appliance. Components of an IDS

  5. Alert/Alarm - A signal suggesting a system has been or is being attacked. False Positive - An alert or alarm that is triggered when no actual attack has taken place. False negative - A failure of an IDS to detect an actual attack Noise - Data or interference that can trigger a false positive Alarm filtering - The process of categorizing attack alerts produced from an IDS in order to distinguish false positives from actual attacks IDS Terms

  6. A Network Intrusion Detection System (NIDS) is an independent platform which identifies intrusions by examining network traffic and monitors multiple hosts. Network Intrusion Detection Systems gain access to network traffic by connecting to a hub, network switch configured for port spanning, or network tap. An example of a NIDS is Snort. Types Of IDS - NIDS

  7. A Host-based Intrusion Detection system (HIDS) consists of an agent on a host which identifies intrusions by analyzing system calls, application logs, file-system modifications (binaries, password files, capability/acl databases) and other host activities and state. An example of a HIDS is Tripwire. Types of IDS - HIDS

  8. A Protocol-based Intrusion Detection System (PIDS) consists of a system or agent that would typically sit at the front end of a server, monitoring and analyzing the communication protocol between a connected device (a user/PC or system) and the server. For a web server this would typically monitor the HTTPS protocol stream and understand the HTTP protocol relative to the web server/system it is trying to protect. Where HTTPS is in use then this system would need to reside in the "shim", or interface, between where HTTPS is un-encrypted and immediately prior to its entering the Web presentation layer. An example of a PIDS is mod_security. Types of IDS - PIDS

  9. An Application Protocol-based Intrusion Detection System (APIDS) consists of a system or agent that would typically sit within a group of servers, monitoring and analyzing the communication on application specific protocols. For example, in a web server with a database this would monitor the SQL protocol specific to the middleware/business logic as it transacts with the database. An example of an APIDS is Secerno. Types of IDS - APIDS

  10. A Hybrid Intrusion Detection System combines two or more approaches. Host agent data is combined with network information to form a comprehensive view of the network. An example of a Hybrid IDS is Prelude. Types of IDS - Hybrid IDS

  11. Auditd receives events from the kernel and sends them to Snare. Snare matches these events against criteria and sends messages to the centralized log server running syslog-ng. Syslog-ng acts as gathering point and funnels the messages into a fifo. A Perl program empties the fifo and inserts the messages into a MySQL database. PHP-Syslog-NG searches and displays the information in the database in a concise manner. A Linux Host Intrusion Detection System Architecture

  12. Sensor - Auditd/Snare Console - PHP-Syslog-NG Central Engine - Syslog-NG/Perl Program/MySQL Componentizing the Architecture

  13. Uses off-the-shelf components and protocols. Auditd is part of the Linux “standard package.” Snare makes is easy to define and capture events of interest. Syslog-NG is an enterprise-grade logging agent with extensive filtering capabilities. PHP-Syslog-NG has a good interface for retrieving information from the database. Pros and Cons of the Architecture - Pros

  14. Snare Objective Interface

  15. PHP-Syslog-NG Interface - “The Big Board”

  16. UDP is the transport protocol for Syslog-NG. Data is sent “in the clear.” No easy way to know if a Snare sensor has died. The levels of criticality in Snare don’t map 1-for-1 to Syslog-NG (5 versus 8). The alert output can be a bit daunting without a practiced eye. Pros and Cons of the Architecture -Cons

  17. PHP-Syslog-NG Display

  18. Auditd receives events based on rules from the kernel and passes them to audispd dispatcher. Audispd sends event data to the audispd plugins, in this case, audisp-prelude. Audisp-prelude formats the event as an Intrusion Detection Message Exchance Format Message and, using libprelude, sends it to the Prelude-manager. The Prelude-manager puts the message in a MySQL database. Prewikka searches and displays the information in the database. The Next Stage Architecture

  19. Rules for Events Syscall Audit Rules For example, to see opens by users that failed due to permission violation -a exit,always -S open -F exit=-EACCES -F auid>=500 -F auid!=4294967295 File System Audit Rules For example, to see write, read, execute, or attribute changes to /etc/shadow -a exit,always -F path=/etc/shadow -F perm=wrxa -k “ids-shadow” Look in /usr/share/doc/audit-x.y.z for examples of rules.

  20. Audisp-prelude is an audispd plugin that Reads the audit stream. Identifies suspicious events. Sends the most interesting ones to the Prelude-manager. Has 15 different configurable detections. Audisp-prelude

  21. SE Linux AVCS Detect any login Detect output from pam_tally2 Detect output from pam_limits Detect output from pam_access Detect output from pam_time Detect any abnormal terminations: segv, abort Detect opening of promiscuous socket Detect changes in SE LINUX configuration Detect failures in group password auth Detect any login for account being watched Detect access to file being watched Detect execution of specific programs Detect the creation of executables Audisp-prelude Detection Options

  22. Auditd Nepenthes NUFW OSSEC Samhain SanCP Snort Prelude Sensors

  23. Prelude-LML Apache Arpwatch Asterisk Cisco equipment Clamav Nagios Pam Portsentry Postfix Sonicwall Spamassassin Syslog webmin Prelude Sensors

  24. Sensor must be registered to its manager Communication is encrypted Failover capability when cannot contact manager Relay events from manager to manager Libprelude

  25. Apache based cgi-program Has database of recent alerts Allows multiple users with different permissions Sort/select alerts by type, host, target, severity, sensor, and many more ways at the top of the columns. Prewikka

  26. Prewikka Alerts

  27. Prewikka Alerts

  28. Prewikka Alerts

  29. Prewikka Agents

  30. The Future Add mod_secuirty2 log format parsing to Prelude-LML Add more sensors Rogue DHCP detection Add more detections to auditd sensor Changing UID Account failures Crypto failures Reactive Countermeasures

  31. Questions? Prelude: http://www.prelude-ids.com Auditd: /usr/share/doc/audit-x.y.z/

More Related