[nylug-talk] Intrusion Detection

H. G. tekronis at gmail.com
Mon Mar 31 15:46:01 EDT 2008 

On Fri, Mar 28, 2008 at 12:30 PM, Chris Knadle <Chris.Knadle at coredump.us>
wrote:

> On Thursday 27 March 2008, H. G. wrote:
> > As I recall, the most low impact way monitor the filesystem was
> > with fam or something, since fam alerts you when files change,
> > as opposed to you manually sweeping the filesystem looking
> > for changes (causing lots of disk activity and performance
> > problems in the process).  OSSEC doesn't use the former
> > strategy, unfortunately. :-(
>
>    I've been playing around with Osiris some.  One of the complaints
> that's
> typical of AIDE, Tripwire, etc, is that the checksums for files are stored
> locally (with an offline copy to verify).  Osiris stores and check
> checksums
> using an encrypted connection with a remote server (unless of course the
> daemon and client are on the same box).  It's worth a look.
>
Nice.  Thats an excellent point.  How's Osiris' web console?  [Does it have
one?
Because from what I can tell, it doesn't seem as if it does.]


> > DISCLAIMER: we all know IDSes won't _prevent_ attacks,
> > intrusions or exploitations, but at the very least with them around,
> > theres a chance you'll *find out*, which is always better than
> > being entirely clueless.
>
>    IDS's also false alarm after a system update, so you have to remember
> to
> update the IDS after doing so if you don't want false alarm emails.  Too
> many
> false alarms and the "real problem" will end up getting ignored.
>
>   -- Chris
>
I figured that could happen.  Formal way of dealing with that is to have an
enforced maintenance policy where we have maintenance windows within which
systems are brought into a semi-down state just for the purposes of upgrades
and installation.  Probably have the firewall block all traffic except SSH
connections from the administrative site, bring down the HIDS (or put it
into
standby mode), and do whatever work needs to be done to the host.

>
> --
>
> Chris Knadle
> Chris.Knadle at coredump.us
>
> _____________________________________________________________________________
> Hire expert Linux talent by posting jobs here :: http://jobs.nylug.org
> The nylug-talk mailing list is at nylug-talk at nylug.org
> The list archive is at http://nylug.org/pipermail/nylug-talk
> To subscribe or unsubscribe: http://nylug.org/mailman/listinfo/nylug-talk
>

More information about the nylug-talk mailing list