Open Source Intrusion Detection: No-cost System Lockdown

Open Source Intrusion Detection: No-cost System Lockdown

owadays, basic information security at any level should include an intrusion detection system (IDS) that gathers and later analyzes intrusion data. The primary goal of IDS software is monitoring hostile operations of all types, whether human (hackers and crackers) or programmatic (viruses, Trojan horses). An IDS can function on a particular server or in an entire segment of a network.

Although the market for IDS-related software is pretty large, finding a tool that will work for your specific case isn’t always easy. That is why IDS software is categorized into three classes:

  1. Application-based intrusion detection system (AIDS). AIDS monitors specific applications (or services).
  2. Host-based intrusion detection system (HIDS). HIDS is a software cluster that consists of an auditor for the file system, log file analyzers, an operating system monitor, and a monitor for software changes. Sometimes it includes several AIDS tools as well.
  3. Network-based intrusion detection system (NIDS). NIDS software is used mostly for analyzing network activity: traffic and load.

In my experience, commercial solutions usually try to implement the basics of all detection systems into single products, which often end up being overpriced and too expensive for many small and medium-sized businesses. On top of that, all these functions are overkill in most cases. For these reasons, I believe that intrusion detection software should be open source. The first article in this two-part series examines the most popular non-commercial IDS solutions.

The most popular non-commercial AIDS tools are honeypots. A honeypot is network services emulation software that allows system administrators to monitor an intruder’s actions. Although not actual operating systems, honeypots emulate real running operating systems to serve as a bait for potential attackers. The primary goal is to analyze attacks, but some honeypot products use internal signatures for known attacks to automatically block them as well. Honeypots usually include tools for registering the hack attempts they monitor.

The most popular honeypot software is Honeyd. You can use other IDS software (such as Snort) along with Honeyd.

For Web applications, mod_security, an open source intrusion detection and prevention engine, is very popular AIDS software. Operating as an Apache Web server module, mod_security examines HTTP queries to protect Web applications from known and sometimes unknown attacks. The practical use of mod_security will be discussed in Part 2 of this article.

HIDS software runs locally on every server to detect alien (or unwelcome) changes in the functionality of local configuration files or services. HIDS software is divided into system integrity verifiers (SIV), log file monitors (LFM), and operating system patches (OS extenders), which add functionality to the set of OS functions. (The HIDS discussed in this article are completely OS-dependent, and most of them are written for Linux.)

The AIDE (Advanced Intrusion Detection Environment) utility, an open source alternative to Tripwire, is typical SIV software that monitors file system changes. It uses checksum technology and directory structure dumps to check whether data has changed. It also checks the size and attribute settings of files, generates a database, and using regular expressions, determines which files get added to the database. You can then use the database to check the integrity of files on the server by employing any one of several message digest algorithms to ensure that the files have not been altered.

The sXid program is an all-in-one suid/sgid bit monitor designed to run from cron on a regular basis. Using the suid/sgid bit attributes on the executable files, the local user (intruder) can gain privileged priorities, which is very dangerous. Basically, sXid tracks any changes in your suid/sgid bit files and folders. If it detects any new ones—ones that aren’t set any more or that have changed bits or other modes—it reports the changes in an easy-to-read format via e-mail or on the command line.

Chrootkit is a shell script that checks system binaries for rootkit modification. It looks for known “signatures” in “Trojaned” system binaries. It knows more than 50 Trojan programs (rootkit) and runs on numerous platforms.

As a rule, all operating systems already include some tools for basic IDS monitoring. Among them are different scripts and executable programs, which are designed to run regularly (from the cron). For example, the FreeBSD operating system has special security scripts (/etc/periodic/daily/450.status-security and others) that run daily.

You can easily make such scripts yourself using different programs for getting file checksums (md5). You also can easily perform suid/sgid bit monitoring using the internal program find. This is an example of how you can get the file checksum from the Unix shell:

white@dragon:~>md5 postfix-delete.shMD5 ( = 9ed41add22f840c3311dd30b4f045d6b

The following output results from a command that gives you a list of files with the suid and sgid bit set:

white@dragon:/etc>find /usr/bin -perm -6000 -print -ls  8280  272 -r-sr-sr-x    1 uucp  dialer  123888 Jul 23  2001 /usr/bin/cu  7943  190 -r-sr-sr-x    1 uucp  dialer   96752 Jul 23  2001 /usr/bin/uustat  8250   46 -r-sr-sr-x    1 root  daemon   22728 Jul 23  2001 /usr/bin/lpq  8251   52 -r-sr-sr-x    1 root  daemon   26216 Jul 23  2001 /usr/bin/lpr8252   44 -r-sr-sr-x    1 root  daemon   21676 Jul 23  2001 /usr/bin/lprm

Logcheck is typical LFM software that helps spot problems and security violations in your log files automatically and sends the results to you via e-mail. Many SIV HIDS already include their own versions of log-checking software as well.

Logsurfer is a log checking and auditing tool similar to logcheck, but with the added capability to handle multi-line messages and dynamically adapt the rule set. Written in portable C, logsurfer is well documented, fast, and flexible. It works on any plain-text file or standard input, can run at intervals or continuously, and has timeouts and resource limits.

Swatch (Simple Watch Daemon) is a program for UNIX system logging. Originally written in Perl, it actively monitors messages as they are written to a log file via the UNIX syslog utility. Swatch was designed to keep system administrators from being overwhelmed by large quantities of log data. It monitors log files, filters out unwanted data, and takes one or more simple user-specified actions based upon patterns in the log. Swatch can monitor information as it is being appended to the log file and alert system administrators immediately to serious system problems as they occur.

Operating System Patches
LIDS (Linux Intrusion Detection System) is a complex collection of patches for the Linux kernel and utilities, which increase the operating system’s security level by reducing the possibility of an intruder gaining privileged rights in the system. It also includes support for Mandatory Access Control (MAC), a system that enables port scan detection and file and processes protection. As a result of implementing these software patches, even the super-user privilege (and its processes) will be limited to previously implemented rule sets. As such, you should be very precise in your installation and enablement of these patches.

OpenWall is one of the most popular Linux patches. This cluster of patches is a collection of security-related features for the Linux kernel, all configurable via the new Security options configuration section. In addition to new features, some versions of OpenWall contain various security fixes.

Its patches also are part of the Owl (Openwall GNU/*/Linux), a security-enhanced operating system with Linux and GNU software as its core, making OpenWall compatible with other major distributions of the GNU/*/Linux server platform.

SELinux (Security-enhanced Linux) is a U.S. National Security Agency project. The system’s security mechanisms provide flexible support for a wide range of security policies. They enable you to configure the system to meet a wide range of security requirements. The release includes a general-purpose security policy configuration designed to meet a number of security objectives as an example of how this may be done. SELinux is known as an effective solution for protecting against even unknown attacks.

The MAC Framework is one of two significant new security mechanisms introduced in the fifth edition of the FreeBSD operating system (from the TrustedBSD project). File system Access Control Lists (ACL) is the other. MAC loads new access control modules, which implements new security policies. Some provide protections to a narrow subset of the system, hardening a particular service, while others provide comprehensive labeled security across all subjects and objects. The MAC Framework is very similar to the SELinux project.

Grsecurity, a Linux-based project licensed under the GPL, is an innovative approach to security that utilizes a multi-layered detection, prevention, and containment model. It also is a set of patches for the Linux kernel and its utilities. Its most interesting features are role-based access control (RBAC), chroot restrictions, address space modification protection, and different auditing features.

NIDS are divided into three categories: port scan detectors (PSD), sniffers, and firewalls. The most typical NIDS software is the common packet filter or firewall (ipf and ipfw in FreeBSD, iptables in Linux, pf in OpenBSD, etc.), which has the option of logging to analyze the network traffic that comes through the router or a server.

PortSentry is PSD-related software designed to detect and respond to port scans against a target host in real-time. It runs on TCP and UDP sockets and works on most UNIX systems. Advanced stealth detection modes, which detect SYN, FIN, NULL, XMAS, and Oddball packet scans, are available only under the Linux OS. All modes support real-time alerting and blocking.

scanlogd also is a port scan detector from Solar Designer. It is a TCP port scan detection tool originally designed to present the various attacks with which an IDS developer has to contend. Now part of the OpenWall project, scanlogd recognizes all of the latest nmap scans.

A sniffer is software designed to listen for network traffic. The most popular are tcpdump, ethereal, and Sniffit. Although not IDS, you can parse their results and use that data to protect your system against intrusions and attacks.

Snort is the best known open source network intrusion detection system. Based on the libpcap library, it can analyze protocols as well as signatures. Using its numerous extenders, you can control firewalls to block the unwanted traffic (for example, you can use the fwsnort application, which allows you to control iptables rules in Linux). You also can interconnect Snort with the SQL Server, MySQL, or PostgreSQL and with the PHP console acid, one of the most advanced NIDS today.

Prelude is an innovative Hybrid Intrusion Detection (HID) system designed to be modular, distributed, and fast. Prelude can find traces of malicious activity from different sensors (Snort, Honeyd, Nessus Vulnerability Scanner, Samhain, over 30 types of systems logs, and many others) to better verify an attack, and it makes automatic correlations between the various events.

The Evolution of IDS
As you can see, IDS is not just a simple system to keep your servers safe. Nowadays, it has become a popular term that encompasses various kinds of systems, and every shop requires its own IDS solution.

IDS systems already are morphing into IPS (intrusion prevention systems). In today’s fast-paced Internet time, people often aren’t fast enough to protect themselves—even with powerful monitors and detectors. That’s why certain projects are trying to enable the IDS to analyze data and also make changes in real time. As previously mentioned, Snort already has modules to communicate with firewalls.



Share the Post:
Clean Energy Adoption

Inside Michigan’s Clean Energy Revolution

Democratic state legislators in Michigan continue to discuss and debate clean energy legislation in the hopes of establishing a comprehensive clean energy strategy for the

Chips Act Revolution

European Chips Act: What is it?

In response to the intensifying worldwide technology competition, Europe has unveiled the long-awaited European Chips Act. This daring legislative proposal aims to fortify Europe’s semiconductor

Revolutionized Low-Code

You Should Use Low-Code Platforms for Apps

As the demand for rapid software development increases, low-code platforms have emerged as a popular choice among developers for their ability to build applications with

Global Layoffs

Tech Layoffs Are Getting Worse Globally

Since the start of 2023, the global technology sector has experienced a significant rise in layoffs, with over 236,000 workers being let go by 1,019

Clean Energy Adoption

Inside Michigan’s Clean Energy Revolution

Democratic state legislators in Michigan continue to discuss and debate clean energy legislation in the hopes of establishing a comprehensive clean energy strategy for the state. A Senate committee meeting

Chips Act Revolution

European Chips Act: What is it?

In response to the intensifying worldwide technology competition, Europe has unveiled the long-awaited European Chips Act. This daring legislative proposal aims to fortify Europe’s semiconductor supply chain and enhance its

Revolutionized Low-Code

You Should Use Low-Code Platforms for Apps

As the demand for rapid software development increases, low-code platforms have emerged as a popular choice among developers for their ability to build applications with minimal coding. These platforms not

Cybersecurity Strategy

Five Powerful Strategies to Bolster Your Cybersecurity

In today’s increasingly digital landscape, businesses of all sizes must prioritize cyber security measures to defend against potential dangers. Cyber security professionals suggest five simple technological strategies to help companies

Global Layoffs

Tech Layoffs Are Getting Worse Globally

Since the start of 2023, the global technology sector has experienced a significant rise in layoffs, with over 236,000 workers being let go by 1,019 tech firms, as per data

Huawei Electric Dazzle

Huawei Dazzles with Electric Vehicles and Wireless Earbuds

During a prominent unveiling event, Huawei, the Chinese telecommunications powerhouse, kept quiet about its enigmatic new 5G phone and alleged cutting-edge chip development. Instead, Huawei astounded the audience by presenting

Cybersecurity Banking Revolution

Digital Banking Needs Cybersecurity

The banking, financial, and insurance (BFSI) sectors are pioneers in digital transformation, using web applications and application programming interfaces (APIs) to provide seamless services to customers around the world. Rising

FinTech Leadership

Terry Clune’s Fintech Empire

Over the past 30 years, Terry Clune has built a remarkable business empire, with CluneTech at the helm. The CEO and Founder has successfully created eight fintech firms, attracting renowned

The Role Of AI Within A Web Design Agency?

In the digital age, the role of Artificial Intelligence (AI) in web design is rapidly evolving, transitioning from a futuristic concept to practical tools used in design, coding, content writing

Generative AI Revolution

Is Generative AI the Next Internet?

The increasing demand for Generative AI models has led to a surge in its adoption across diverse sectors, with healthcare, automotive, and financial services being among the top beneficiaries. These

Microsoft Laptop

The New Surface Laptop Studio 2 Is Nuts

The Surface Laptop Studio 2 is a dynamic and robust all-in-one laptop designed for creators and professionals alike. It features a 14.4″ touchscreen and a cutting-edge design that is over

5G Innovations

GPU-Accelerated 5G in Japan

NTT DOCOMO, a global telecommunications giant, is set to break new ground in the industry as it prepares to launch a GPU-accelerated 5G network in Japan. This innovative approach will

AI Ethics

AI Journalism: Balancing Integrity and Innovation

An op-ed, produced using Microsoft’s Bing Chat AI software, recently appeared in the St. Louis Post-Dispatch, discussing the potential concerns surrounding the employment of artificial intelligence (AI) in journalism. These

Savings Extravaganza

Big Deal Days Extravaganza

The highly awaited Big Deal Days event for October 2023 is nearly here, scheduled for the 10th and 11th. Similar to the previous year, this autumn sale has already created

Cisco Splunk Deal

Cisco Splunk Deal Sparks Tech Acquisition Frenzy

Cisco’s recent massive purchase of Splunk, an AI-powered cybersecurity firm, for $28 billion signals a potential boost in tech deals after a year of subdued mergers and acquisitions in the

Iran Drone Expansion

Iran’s Jet-Propelled Drone Reshapes Power Balance

Iran has recently unveiled a jet-propelled variant of its Shahed series drone, marking a significant advancement in the nation’s drone technology. The new drone is poised to reshape the regional

Solar Geoengineering

Did the Overshoot Commission Shoot Down Geoengineering?

The Overshoot Commission has recently released a comprehensive report that discusses the controversial topic of Solar Geoengineering, also known as Solar Radiation Modification (SRM). The Commission’s primary objective is to

Remote Learning

Revolutionizing Remote Learning for Success

School districts are preparing to reveal a substantial technological upgrade designed to significantly improve remote learning experiences for both educators and students amid the ongoing pandemic. This major investment, which

Revolutionary SABERS Transforming

SABERS Batteries Transforming Industries

Scientists John Connell and Yi Lin from NASA’s Solid-state Architecture Batteries for Enhanced Rechargeability and Safety (SABERS) project are working on experimental solid-state battery packs that could dramatically change the

Build a Website

How Much Does It Cost to Build a Website?

Are you wondering how much it costs to build a website? The approximated cost is based on several factors, including which add-ons and platforms you choose. For example, a self-hosted

Battery Investments

Battery Startups Attract Billion-Dollar Investments

In recent times, battery startups have experienced a significant boost in investments, with three businesses obtaining over $1 billion in funding within the last month. French company Verkor amassed $2.1

Copilot Revolution

Microsoft Copilot: A Suit of AI Features

Microsoft’s latest offering, Microsoft Copilot, aims to revolutionize the way we interact with technology. By integrating various AI capabilities, this all-in-one tool provides users with an improved experience that not

AI Girlfriend Craze

AI Girlfriend Craze Threatens Relationships

The surge in virtual AI girlfriends’ popularity is playing a role in the escalating issue of loneliness among young males, and this could have serious repercussions for America’s future. A

AIOps Innovations

Senser is Changing AIOps

Senser, an AIOps platform based in Tel Aviv, has introduced its groundbreaking AI-powered observability solution to support developers and operations teams in promptly pinpointing the root causes of service disruptions