[TCLUG] Linux Intrustion Detection?

Sun Dec 31 15:23:51 CST 2000

If you're looking for a good network intrusion detection system, try Snort.
http://www.snort.org

I've been using the nightly CVS versions and they seem to work well.  If you
set it up to log to a mysql database, you can use ACID which is a PHP based
query tool to run reports on the types of attacks people are launching on
you.  For alerting, you'll want to use swatch with a carefully crafted
config file.  If you're on a very large network, you probably don't want to
get paged for every little portscan or large ICMP packet.  However, for your
home network, you might want to.  There's another ruleset at
http://www.whitehats.com/ids that has some interesting rules in it.  By
using multiple snort boxes, you can split the load up on a large network and
just log to the same database server.  Put half of the rules on one box, and
the other half on another box.  My PIII 750 sits at 100% cpu when sniffing
20Mbit/sec and using the defrag preprocessor.  Maybe a newer CVS version
will fix that, but you can always turn off defrag.

I noticed that the ruleset can generate alot of false positives on a very
busy network.  Some of the rules you may have to modify or remove if you're
getting too many alerts on them.  Of course, you'll want to figure out if
they are false positives or not first.  Unfortunately, as of now, each
portscan shows up as a unique attack, it doesn't group them together yet.
Work is progressing extremely fast on it though.  I'm planning on writing a
GRE decoder plugin for it so I can sniff traffic in unencrypted GRE tunnels.
I just have to find some time.  :)

Jay

> -----Original Message-----
> From: Bob Tanner [mailto:tanner at real-time.com]
> Sent: Sunday, December 31, 2000 3:06 PM
> To: tclug-list at lists.real-time.com
> Subject: Re: [TCLUG] Linux Intrustion Detection?
> 
> 
> Quoting Ben Kochie (ben at nerp.net):
> > RJ11 behind me says "tripwire" I was about to suggest 
> looking at LIDS tho.
> > 
> 
> Tripwire is for changes to file systems, I guess I should 
> talked about network
> intrustion.
> -- 
> Bob Tanner <tanner at real-time.com>       | Phone : (952)943-8700
> http://www.mn-linux.org                 | Fax   : (952)943-8500
> Key fingerprint =  6C E9 51 4F D5 3E 4C 66 62 A9 10 E5 35 85 39 D9 
> 
> _______________________________________________
> tclug-list mailing list
> tclug-list at lists.real-time.com
> https://mailman.real-time.com/mailman/listinfo/tclug-list
> 