The Next Stage in Linux IDS PreludeIDS and Auditd

About This Presentation

Title:

The Next Stage in Linux IDS PreludeIDS and Auditd

Description:

An Intrusion Detection System (IDS) is software and/or hardware designed to ... For example, to see write, read, execute, or attribute changes to /etc/shadow ... – PowerPoint PPT presentation

Number of Views:109

Avg rating:3.0/5.0

Slides: 33

Provided by: Staf1055

Category:

more less

Transcript and Presenter's Notes

Title: The Next Stage in Linux IDS PreludeIDS and Auditd

1
The Next Stage in Linux IDS - Prelude-IDS and
Auditd

Presented
By
Gary Smith

2
What is an Intrusion Detection System (IDS)?

An Intrusion Detection System (IDS) is software
and/or hardware designed to detect unwanted
attempts at accessing, manipulating, and/or
disabling of computer systems, mainly through a
network, such as the Internet, for example.
These attempts may take the form of attacks, as
examples, by hackers, malware and/or disgruntled
employees.

3
What does an IDS do?

An intrusion detection system is used to detect
several types of malicious behaviors that can
compromise the security and trust of a computer
system.
This includes network attacks against
Vulnerable services,
Data driven attacks on applications,
Host based attacks such as privilege escalation,
Unauthorized logins and access to sensitive
files,
And malware (viruses, trojan horses, and worms).

4
Components of an IDS

An IDS can be composed of several components
Sensors which generate security events,
A Console to monitor events and alerts and
control the sensors
A Central Engine that records events logged by
the sensors in a database and uses a system of
rules to generate alerts from security events
received.
There are several ways to categorize an IDS
depending on the type and location of the sensors
and the methodology used by the engine to
generate alerts.
In many simple IDS implementations, all three
components are combined in a single device or
appliance.

5
IDS Terms

Alert/Alarm - A signal suggesting a system has
been or is being attacked.
False Positive - An alert or alarm that is
triggered when no actual attack has taken place.
False negative - A failure of an IDS to detect an
actual attack
Noise - Data or interference that can trigger a
false positive
Alarm filtering - The process of categorizing
attack alerts produced from an IDS in order to
distinguish false positives from actual attacks

6
Types Of IDS - NIDS

A Network Intrusion Detection System (NIDS) is an
independent platform which identifies intrusions
by examining network traffic and monitors
multiple hosts.
Network Intrusion Detection Systems gain access
to network traffic by connecting to a hub,
network switch configured for port spanning, or
network tap.
An example of a NIDS is Snort.

7
Types of IDS - HIDS

A Host-based Intrusion Detection system (HIDS)
consists of an agent on a host which identifies
intrusions by analyzing system calls, application
logs, file-system modifications (binaries,
password files, capability/acl databases) and
other host activities and state.
An example of a HIDS is Tripwire.

8
Types of IDS - PIDS

A Protocol-based Intrusion Detection System
(PIDS) consists of a system or agent that would
typically sit at the front end of a server,
monitoring and analyzing the communication
protocol between a connected device (a user/PC or
system) and the server.
For a web server this would typically monitor the
HTTPS protocol stream and understand the HTTP
protocol relative to the web server/system it is
trying to protect.
Where HTTPS is in use then this system would need
to reside in the "shim", or interface, between
where HTTPS is un-encrypted and immediately prior
to its entering the Web presentation layer.
An example of a PIDS is mod_security.

9
Types of IDS - APIDS

An Application Protocol-based Intrusion Detection
System (APIDS) consists of a system or agent that
would typically sit within a group of servers,
monitoring and analyzing the communication on
application specific protocols.
For example, in a web server with a database this
would monitor the SQL protocol specific to the
middleware/business logic as it transacts with
the database.
An example of an APIDS is Secerno.

10
Types of IDS - Hybrid IDS

A Hybrid Intrusion Detection System combines two
or more approaches.
Host agent data is combined with network
information to form a comprehensive view of the
network.
An example of a Hybrid IDS is Prelude.

11
A Linux Host Intrusion Detection System
Architecture

Auditd receives events from the kernel and sends
them to Snare.
Snare matches these events against criteria and
sends messages to the centralized log server
running syslog-ng.
Syslog-ng acts as gathering point and funnels the
messages into a fifo.
A Perl program empties the fifo and inserts the
messages into a MySQL database.
PHP-Syslog-NG searches and displays the
information in the database in a concise manner.

12
Componentizing the Architecture

Sensor - Auditd/Snare
Console - PHP-Syslog-NG
Central Engine - Syslog-NG/Perl Program/MySQL

13
Pros and Cons of the Architecture - Pros

Uses off-the-shelf components and protocols.
Auditd is part of the Linux standard package.
Snare makes is easy to define and capture events
of interest.
Syslog-NG is an enterprise-grade logging agent
with extensive filtering capabilities.
PHP-Syslog-NG has a good interface for retrieving
information from the database.

14
Snare Objective Interface
15
PHP-Syslog-NG Interface - The Big Board
16
Pros and Cons of the Architecture -Cons

UDP is the transport protocol for Syslog-NG.
Data is sent in the clear.
No easy way to know if a Snare sensor has died.
The levels of criticality in Snare dont map
1-for-1 to Syslog-NG (5 versus 8).
The alert output can be a bit daunting without a
practiced eye.

17
PHP-Syslog-NG Display
18
The Next Stage Architecture

Auditd receives events based on rules from the
kernel and passes them to audispd dispatcher.
Audispd sends event data to the audispd plugins,
in this case, audisp-prelude.
Audisp-prelude formats the event as an Intrusion
Detection Message Exchance Format Message and,
using libprelude, sends it to the
Prelude-manager.
The Prelude-manager puts the message in a MySQL
database.
Prewikka searches and displays the information in
the database.

19
Rules for Events

Syscall Audit Rules
For example, to see opens by users that failed
due to permission violation
-a exit,always -S open -F exit-EACCES -F
auidgt500 -F auid!4294967295
File System Audit Rules
For example, to see write, read, execute, or
attribute changes to /etc/shadow
-a exit,always -F path/etc/shadow -F permwrxa
-k ids-shadow
Look in /usr/share/doc/audit-x.y.z for examples
of rules.

20
Audisp-prelude

Audisp-prelude is an audispd plugin that
Reads the audit stream.
Identifies suspicious events.
Sends the most interesting ones to the
Prelude-manager.
Has 15 different configurable detections.

21
Audisp-prelude Detection Options

SE Linux AVCS
Detect any login
Detect output from pam_tally2
Detect output from pam_limits
Detect output from pam_access
Detect output from pam_time
Detect any abnormal terminations segv, abort
Detect opening of promiscuous socket
Detect changes in SE LINUX configuration
Detect failures in group password auth
Detect any login for account being watched
Detect access to file being watched
Detect execution of specific programs
Detect the creation of executables

22
Prelude Sensors

Auditd
Nepenthes
NUFW
OSSEC
Samhain
SanCP
Snort

23
Prelude Sensors

Prelude-LML
Apache
Arpwatch
Asterisk
Cisco equipment
Clamav
Nagios
Pam
Portsentry
Postfix
Sonicwall
Spamassassin
Syslog
webmin

24
Libprelude

Sensor must be registered to its manager
Communication is encrypted
Failover capability when cannot contact manager
Relay events from manager to manager

25
Prewikka

Apache based cgi-program
Has database of recent alerts
Allows multiple users with different permissions
Sort/select alerts by type, host, target,
severity, sensor, and many more ways at the top
of the columns.