[nylug-talk] Intrusion Detection

H. G. tekronis at gmail.com
Fri Mar 28 01:13:47 EDT 2008 

On 3/28/08, Rodrick Brown <rodrick.brown at gmail.com> wrote:
>
> On Thu, Mar 27, 2008 at 8:43 PM, H. G. <tekronis at gmail.com> wrote:
> > A good <time_of_day_goes_here> to you all.
> >
> >  I'm quite interested in hearing what the wizened and tooth-cut
> >  Linux users of the list have to say on the subject of IDSes.  I'm
> >  currently using OSSEC, and it isn't too bad.  Since its fairly
> >  new, its moving along decently.  Of course we've all heard
> >  about Tripwire, but I decided to avoid it since the open source
> >  version seemed dead ever since the Tripwire guys went commercial.
> >
> >  As I recall, the most low impact way monitor the filesystem was
> >  with fam or something, since fam alerts you when files change,
> >  as opposed to you manually sweeping the filesystem looking
> >  for changes (causing lots of disk activity and performance
> >  problems in the process).  OSSEC doesn't use the former
> >  strategy, unfortunately. :-(
> >
> >  Theres also aide, but I never gave it a shot.  OSSEC's swank
> >  web interface makes it easy for folks to view anomalies.
> >  So what has been everyone's experiences?
> >
> >  DISCLAIMER: we all know IDSes won't _prevent_ attacks,
> >  intrusions or exploitations, but at the very least with them around,
> >  theres a chance you'll *find out*, which is always better than
> >  being entirely clueless.
>
>
> >  _____________________________________________________________________________
> >  Hire expert Linux talent by posting jobs here :: http://jobs.nylug.org
> >  The nylug-talk mailing list is at nylug-talk at nylug.org
> >  The list archive is at http://nylug.org/pipermail/nylug-talk
> >  To subscribe or unsubscribe:
> http://nylug.org/mailman/listinfo/nylug-talk
> >
>
> IDS/IPS are just a waste of bandwidth, I feel as its much faster to
> reimage a system these days than going through IDS logs to figured out
> what has been compromised. I personally feel the entire network
> IDS/IPS market is dead who are buying these devices?
>
> --
> [ Rodrick R. Brown ]
> http://www.rodrickbrown.com
> http://www.linkedin.com/in/rodrickbrown


I wasn't talking network intrusion detection devices.  I specifically mean
host
based IDS software that tracks file alteration or possible compromise
scenarios.
Thats why I mentioned Tripwire, OSSEC and AIDE.  Even network intrusion
detection can be useful to:  if you've got a specific proprietary app
running at
a certain port, and you know for a fact that you're not expecting any other
kind
of traffic to go there, such as an SSH connection attempt, then it would be
good to know if that ever did happen, because that might signal some
attempt;
perhaps someone is attempting to connect to each open port looking for your
SSH daemon.

Thats why I said before that although its obvious these won't *prevent*
 attack,
at the very least, they make it possible for you to be clued in.

And I don't think we can just reimage our machines and continue onwards
after an attack.  You've got reporting to do, and you need to be able to say
what was touched, on what systems, where in the hierarchy and how...

More information about the nylug-talk mailing list