owadays, basic information security at any level should include an intrusion detection system (IDS) that gathers and later analyzes intrusion data. The primary goal of IDS software is monitoring hostile operations of all types, whether human (hackers and crackers) or programmatic (viruses, Trojan horses). An IDS can function on a particular server or in an entire segment of a network.
Although the market for IDS-related software is pretty large, finding a tool that will work for your specific case isn’t always easy. That is why IDS software is categorized into three classes:
- Application-based intrusion detection system (AIDS). AIDS monitors specific applications (or services).
- Host-based intrusion detection system (HIDS). HIDS is a software cluster that consists of an auditor for the file system, log file analyzers, an operating system monitor, and a monitor for software changes. Sometimes it includes several AIDS tools as well.
- Network-based intrusion detection system (NIDS). NIDS software is used mostly for analyzing network activity: traffic and load.
In my experience, commercial solutions usually try to implement the basics of all detection systems into single products, which often end up being overpriced and too expensive for many small and medium-sized businesses. On top of that, all these functions are overkill in most cases. For these reasons, I believe that intrusion detection software should be open source. The first article in this two-part series examines the most popular non-commercial IDS solutions.
The most popular non-commercial AIDS tools are honeypots. A honeypot is network services emulation software that allows system administrators to monitor an intruder’s actions. Although not actual operating systems, honeypots emulate real running operating systems to serve as a bait for potential attackers. The primary goal is to analyze attacks, but some honeypot products use internal signatures for known attacks to automatically block them as well. Honeypots usually include tools for registering the hack attempts they monitor.
For Web applications, mod_security, an open source intrusion detection and prevention engine, is very popular AIDS software. Operating as an Apache Web server module, mod_security examines HTTP queries to protect Web applications from known and sometimes unknown attacks. The practical use of mod_security will be discussed in Part 2 of this article.
HIDS software runs locally on every server to detect alien (or unwelcome) changes in the functionality of local configuration files or services. HIDS software is divided into system integrity verifiers (SIV), log file monitors (LFM), and operating system patches (OS extenders), which add functionality to the set of OS functions. (The HIDS discussed in this article are completely OS-dependent, and most of them are written for Linux.)
The AIDE (Advanced Intrusion Detection Environment) utility, an open source alternative to Tripwire, is typical SIV software that monitors file system changes. It uses checksum technology and directory structure dumps to check whether data has changed. It also checks the size and attribute settings of files, generates a database, and using regular expressions, determines which files get added to the database. You can then use the database to check the integrity of files on the server by employing any one of several message digest algorithms to ensure that the files have not been altered.
The sXid program is an all-in-one suid/sgid bit monitor designed to run from cron on a regular basis. Using the suid/sgid bit attributes on the executable files, the local user (intruder) can gain privileged priorities, which is very dangerous. Basically, sXid tracks any changes in your suid/sgid bit files and folders. If it detects any new ones—ones that aren’t set any more or that have changed bits or other modes—it reports the changes in an easy-to-read format via e-mail or on the command line.
Chrootkit is a shell script that checks system binaries for rootkit modification. It looks for known “signatures” in “Trojaned” system binaries. It knows more than 50 Trojan programs (rootkit) and runs on numerous platforms.
As a rule, all operating systems already include some tools for basic IDS monitoring. Among them are different scripts and executable programs, which are designed to run regularly (from the cron). For example, the FreeBSD operating system has special security scripts (/etc/periodic/daily/450.status-security and others) that run daily.
You can easily make such scripts yourself using different programs for getting file checksums (md5). You also can easily perform suid/sgid bit monitoring using the internal program find. This is an example of how you can get the file checksum from the Unix shell:
white@dragon:~>md5 postfix-delete.shMD5 (postfix-delete.sh) = 9ed41add22f840c3311dd30b4f045d6b
The following output results from a command that gives you a list of files with the suid and sgid bit set:
white@dragon:/etc>find /usr/bin -perm -6000 -print -ls 8280 272 -r-sr-sr-x 1 uucp dialer 123888 Jul 23 2001 /usr/bin/cu 7943 190 -r-sr-sr-x 1 uucp dialer 96752 Jul 23 2001 /usr/bin/uustat 8250 46 -r-sr-sr-x 1 root daemon 22728 Jul 23 2001 /usr/bin/lpq 8251 52 -r-sr-sr-x 1 root daemon 26216 Jul 23 2001 /usr/bin/lpr8252 44 -r-sr-sr-x 1 root daemon 21676 Jul 23 2001 /usr/bin/lprm
Logcheck is typical LFM software that helps spot problems and security violations in your log files automatically and sends the results to you via e-mail. Many SIV HIDS already include their own versions of log-checking software as well.
Logsurfer is a log checking and auditing tool similar to logcheck, but with the added capability to handle multi-line messages and dynamically adapt the rule set. Written in portable C, logsurfer is well documented, fast, and flexible. It works on any plain-text file or standard input, can run at intervals or continuously, and has timeouts and resource limits.
Swatch (Simple Watch Daemon) is a program for UNIX system logging. Originally written in Perl, it actively monitors messages as they are written to a log file via the UNIX syslog utility. Swatch was designed to keep system administrators from being overwhelmed by large quantities of log data. It monitors log files, filters out unwanted data, and takes one or more simple user-specified actions based upon patterns in the log. Swatch can monitor information as it is being appended to the log file and alert system administrators immediately to serious system problems as they occur.
Operating System Patches
LIDS (Linux Intrusion Detection System) is a complex collection of patches for the Linux kernel and utilities, which increase the operating system’s security level by reducing the possibility of an intruder gaining privileged rights in the system. It also includes support for Mandatory Access Control (MAC), a system that enables port scan detection and file and processes protection. As a result of implementing these software patches, even the super-user privilege (and its processes) will be limited to previously implemented rule sets. As such, you should be very precise in your installation and enablement of these patches.
OpenWall is one of the most popular Linux patches. This cluster of patches is a collection of security-related features for the Linux kernel, all configurable via the new Security options configuration section. In addition to new features, some versions of OpenWall contain various security fixes.
Its patches also are part of the Owl (Openwall GNU/*/Linux), a security-enhanced operating system with Linux and GNU software as its core, making OpenWall compatible with other major distributions of the GNU/*/Linux server platform.
SELinux (Security-enhanced Linux) is a U.S. National Security Agency project. The system’s security mechanisms provide flexible support for a wide range of security policies. They enable you to configure the system to meet a wide range of security requirements. The release includes a general-purpose security policy configuration designed to meet a number of security objectives as an example of how this may be done. SELinux is known as an effective solution for protecting against even unknown attacks.
The MAC Framework is one of two significant new security mechanisms introduced in the fifth edition of the FreeBSD operating system (from the TrustedBSD project). File system Access Control Lists (ACL) is the other. MAC loads new access control modules, which implements new security policies. Some provide protections to a narrow subset of the system, hardening a particular service, while others provide comprehensive labeled security across all subjects and objects. The MAC Framework is very similar to the SELinux project.
Grsecurity, a Linux-based project licensed under the GPL, is an innovative approach to security that utilizes a multi-layered detection, prevention, and containment model. It also is a set of patches for the Linux kernel and its utilities. Its most interesting features are role-based access control (RBAC), chroot restrictions, address space modification protection, and different auditing features.
NIDS are divided into three categories: port scan detectors (PSD), sniffers, and firewalls. The most typical NIDS software is the common packet filter or firewall (ipf and ipfw in FreeBSD, iptables in Linux, pf in OpenBSD, etc.), which has the option of logging to analyze the network traffic that comes through the router or a server.
PortSentry is PSD-related software designed to detect and respond to port scans against a target host in real-time. It runs on TCP and UDP sockets and works on most UNIX systems. Advanced stealth detection modes, which detect SYN, FIN, NULL, XMAS, and Oddball packet scans, are available only under the Linux OS. All modes support real-time alerting and blocking.
scanlogd also is a port scan detector from Solar Designer. It is a TCP port scan detection tool originally designed to present the various attacks with which an IDS developer has to contend. Now part of the OpenWall project, scanlogd recognizes all of the latest nmap scans.
A sniffer is software designed to listen for network traffic. The most popular are tcpdump, ethereal, and Sniffit. Although not IDS, you can parse their results and use that data to protect your system against intrusions and attacks.
Snort is the best known open source network intrusion detection system. Based on the libpcap library, it can analyze protocols as well as signatures. Using its numerous extenders, you can control firewalls to block the unwanted traffic (for example, you can use the fwsnort application, which allows you to control iptables rules in Linux). You also can interconnect Snort with the SQL Server, MySQL, or PostgreSQL and with the PHP console acid, one of the most advanced NIDS today.
Prelude is an innovative Hybrid Intrusion Detection (HID) system designed to be modular, distributed, and fast. Prelude can find traces of malicious activity from different sensors (Snort, Honeyd, Nessus Vulnerability Scanner, Samhain, over 30 types of systems logs, and many others) to better verify an attack, and it makes automatic correlations between the various events.
The Evolution of IDS
As you can see, IDS is not just a simple system to keep your servers safe. Nowadays, it has become a popular term that encompasses various kinds of systems, and every shop requires its own IDS solution.
IDS systems already are morphing into IPS (intrusion prevention systems). In today’s fast-paced Internet time, people often aren’t fast enough to protect themselves—even with powerful monitors and detectors. That’s why certain projects are trying to enable the IDS to analyze data and also make changes in real time. As previously mentioned, Snort already has modules to communicate with firewalls.