• Home

  • Documents

  • The Next Stage in Linux IDS - Prelude-IDS and Auditd
32
The Next Stage in Linux IDS - Prelude-IDS and Auditd Presented By Gary Smith

The Next Stage in Linux IDS - Prelude-IDS and Auditd

  • Upload
    dacian

  • View
    50

  • Download
    1

Tags:

Embed Size (px)

DESCRIPTION

The Next Stage in Linux IDS - Prelude-IDS and Auditd. Presented By Gary Smith. - PowerPoint PPT Presentation

Citation preview

Page 1: The Next Stage in Linux IDS - Prelude-IDS and Auditd

The Next Stage in Linux IDS - Prelude-IDS and Auditd Presented

ByGary Smith

Page 2: The Next Stage in Linux IDS - Prelude-IDS and Auditd

An Intrusion Detection System (IDS) is software and/or hardware designed to detect unwanted attempts at accessing, manipulating, and/or disabling of computer systems, mainly through a network, such as the Internet, for example. These attempts may take the form of attacks, as examples, by hackers, malware and/or disgruntled employees.

What is an Intrusion Detection What is an Intrusion Detection System System (IDS)?(IDS)?

Page 3: The Next Stage in Linux IDS - Prelude-IDS and Auditd

An intrusion detection system is used to detect several types of malicious behaviors that can compromise the security and trust of a computer system. This includes network attacks against

Vulnerable services, Data driven attacks on applications, Host based attacks such as privilege escalation, Unauthorized logins and access to sensitive files, And malware (viruses, trojan horses, and worms).

What does an IDS do?What does an IDS do?

Page 4: The Next Stage in Linux IDS - Prelude-IDS and Auditd

An IDS can be composed of several components:

Sensors which generate security events, A Console to monitor events and alerts and control the sensorsA Central Engine that records events logged by the sensors in a database and uses a system of rules to generate alerts from security events received.

There are several ways to categorize an IDS depending on the type and location of the sensors and the methodology used by the engine to generate alerts. In many simple IDS implementations, all three components are combined in a single device or appliance.

Components of an IDSComponents of an IDS

Page 5: The Next Stage in Linux IDS - Prelude-IDS and Auditd

Alert/Alarm - A signal suggesting a system has been or is being attacked.False Positive - An alert or alarm that is triggered when no actual attack has taken place.False negative - A failure of an IDS to detect an actual attackNoise - Data or interference that can trigger a false positiveAlarm filtering - The process of categorizing attack alerts produced from an IDS in order to distinguish false positives from actual attacks

IDS TermsIDS Terms

Page 6: The Next Stage in Linux IDS - Prelude-IDS and Auditd

A Network Intrusion Detection System (NIDS) is an independent platform which identifies intrusions by examining network traffic and monitors multiple hosts. Network Intrusion Detection Systems gain access to network traffic by connecting to a hub, network switch configured for port spanning, or network tap. An example of a NIDS is Snort.

Types Of IDS - NIDSTypes Of IDS - NIDS

Page 7: The Next Stage in Linux IDS - Prelude-IDS and Auditd

A Host-based Intrusion Detection system (HIDS) consists of an agent on a host which identifies intrusions by analyzing system calls, application logs, file-system modifications (binaries, password files, capability/acl databases) and other host activities and state. An example of a HIDS is Tripwire.

Types of IDS - HIDSTypes of IDS - HIDS

Page 8: The Next Stage in Linux IDS - Prelude-IDS and Auditd

A Protocol-based Intrusion Detection System (PIDS) consists of a system or agent that would typically sit at the front end of a server, monitoring and analyzing the communication protocol between a connected device (a user/PC or system) and the server. For a web server this would typically monitor the HTTPS protocol stream and understand the HTTP protocol relative to the web server/system it is trying to protect. Where HTTPS is in use then this system would need to reside in the "shim", or interface, between where HTTPS is un-encrypted and immediately prior to its entering the Web presentation layer.An example of a PIDS is mod_security.

Types of IDS - PIDSTypes of IDS - PIDS

Page 9: The Next Stage in Linux IDS - Prelude-IDS and Auditd

An Application Protocol-based Intrusion Detection System (APIDS) consists of a system or agent that would typically sit within a group of servers, monitoring and analyzing the communication on application specific protocols. For example, in a web server with a database this would monitor the SQL protocol specific to the middleware/business logic as it transacts with the database.An example of an APIDS is Secerno.

Types of IDS - APIDSTypes of IDS - APIDS

Page 10: The Next Stage in Linux IDS - Prelude-IDS and Auditd

A Hybrid Intrusion Detection System combines two or more approaches. Host agent data is combined with network information to form a comprehensive view of the network. An example of a Hybrid IDS is Prelude.

Types of IDS - Hybrid IDSTypes of IDS - Hybrid IDS

Page 11: The Next Stage in Linux IDS - Prelude-IDS and Auditd

Auditd receives events from the kernel and sends them to Snare.Snare matches these events against criteria and sends messages to the centralized log server running syslog-ng.Syslog-ng acts as gathering point and funnels the messages into a fifo.A Perl program empties the fifo and inserts the messages into a MySQL database.PHP-Syslog-NG searches and displays the information in the database in a concise manner.

A Linux Host Intrusion Detection A Linux Host Intrusion Detection System ArchitectureSystem Architecture

Page 12: The Next Stage in Linux IDS - Prelude-IDS and Auditd

Sensor - Auditd/SnareConsole - PHP-Syslog-NGCentral Engine - Syslog-NG/Perl Program/MySQL

Componentizing the ArchitectureComponentizing the Architecture

Page 13: The Next Stage in Linux IDS - Prelude-IDS and Auditd

Uses off-the-shelf components and protocols.Auditd is part of the Linux “standard package.”Snare makes is easy to define and capture events of interest.Syslog-NG is an enterprise-grade logging agent with extensive filtering capabilities.PHP-Syslog-NG has a good interface for retrieving information from the database.

Pros and Cons of the Architecture - Pros and Cons of the Architecture -

ProsPros

Page 14: The Next Stage in Linux IDS - Prelude-IDS and Auditd

Snare Objective InterfaceSnare Objective Interface

Page 15: The Next Stage in Linux IDS - Prelude-IDS and Auditd

PHP-Syslog-NG Interface - PHP-Syslog-NG Interface - “The Big Board”“The Big Board”

Page 16: The Next Stage in Linux IDS - Prelude-IDS and Auditd

UDP is the transport protocol for Syslog-NG.Data is sent “in the clear.”No easy way to know if a Snare sensor has died.The levels of criticality in Snare don’t map 1-for-1 to Syslog-NG (5 versus 8).The alert output can be a bit daunting without a practiced eye.

Pros and Cons of the Architecture -Pros and Cons of the Architecture -ConsCons

Page 17: The Next Stage in Linux IDS - Prelude-IDS and Auditd

PHP-Syslog-NG DisplayPHP-Syslog-NG Display

QuickTime™ and a decompressor

are needed to see this picture.

Page 18: The Next Stage in Linux IDS - Prelude-IDS and Auditd

Auditd receives events based on rules from the kernel and passes them to audispd dispatcher.Audispd sends event data to the audispd plugins, in this case, audisp-prelude.Audisp-prelude formats the event as an Intrusion Detection Message Exchance Format Message and, using libprelude, sends it to the Prelude-manager.The Prelude-manager puts the message in a MySQL database.Prewikka searches and displays the information in the database.

The Next Stage ArchitectureThe Next Stage Architecture

Page 19: The Next Stage in Linux IDS - Prelude-IDS and Auditd

Rules for Events

Syscall Audit RulesFor example, to see opens by users that failed due to permission violation

-a exit,always -S open -F exit=-EACCES -F auid>=500 -F auid!=4294967295

File System Audit RulesFor example, to see write, read, execute, or attribute changes to /etc/shadow

-a exit,always -F path=/etc/shadow -F perm=wrxa -k “ids-shadow”

Look in /usr/share/doc/audit-x.y.z for examples of rules.

Page 20: The Next Stage in Linux IDS - Prelude-IDS and Auditd

Audisp-prelude is an audispd plugin that Reads the audit stream.Identifies suspicious events.Sends the most interesting ones to the Prelude-manager.Has 15 different configurable detections.

Audisp-preludeAudisp-prelude

Page 21: The Next Stage in Linux IDS - Prelude-IDS and Auditd

SE Linux AVCSDetect any loginDetect output from pam_tally2Detect output from pam_limitsDetect output from pam_accessDetect output from pam_timeDetect any abnormal terminations: segv, abortDetect opening of promiscuous socketDetect changes in SE LINUX configuration Detect failures in group password auth Detect any login for account being watched Detect access to file being watched Detect execution of specific programs Detect the creation of executables

Audisp-prelude Detection OptionsAudisp-prelude Detection Options

Page 22: The Next Stage in Linux IDS - Prelude-IDS and Auditd

AuditdNepenthesNUFWOSSECSamhainSanCPSnort

Prelude SensorsPrelude Sensors

Page 23: The Next Stage in Linux IDS - Prelude-IDS and Auditd

Prelude-LMLApache Arpwatch Asterisk Cisco equipment Clamav Nagios Pam Portsentry Postfix Sonicwall Spamassassin Syslog webmin

Prelude SensorsPrelude Sensors

Page 24: The Next Stage in Linux IDS - Prelude-IDS and Auditd

Sensor must be registered to its managerCommunication is encrypted Failover capability when cannot contact manager Relay events from manager to manager

LibpreludeLibprelude

Page 25: The Next Stage in Linux IDS - Prelude-IDS and Auditd

Apache based cgi-programHas database of recent alerts Allows multiple users with different permissions Sort/select alerts by type, host, target, severity, sensor, and many more ways at the top of the columns.

PrewikkaPrewikka

Page 26: The Next Stage in Linux IDS - Prelude-IDS and Auditd

Prewikka AlertsPrewikka Alerts

Page 27: The Next Stage in Linux IDS - Prelude-IDS and Auditd

Prewikka Alerts

Page 28: The Next Stage in Linux IDS - Prelude-IDS and Auditd

Prewikka Alerts

Page 29: The Next Stage in Linux IDS - Prelude-IDS and Auditd

Prewikka Agents

Page 30: The Next Stage in Linux IDS - Prelude-IDS and Auditd

The Future

Add mod_secuirty2 log format parsing to Prelude-LML

Add more sensorsRogue DHCP detection

Add more detections to auditd sensorChanging UIDAccount failuresCrypto failures

Reactive Countermeasures

Page 31: The Next Stage in Linux IDS - Prelude-IDS and Auditd

Questions?

Prelude: http://www.prelude-ids.comAuditd: /usr/share/doc/audit-x.y.z/

http://www.prelude-ids.com/
Page 32: The Next Stage in Linux IDS - Prelude-IDS and Auditd

A national scientific user facility integrating experimental and computational resources for discovery and technological innovation


IDs & Statuses in NDC & ONE Order IDs... · 2019. 9. 30. · Candidate IDs - discussion. 6 • 44 Message (NDC, OO, SwO) • 100,503 Nodes • 6134 IDs & RefIDs • 3585 IDs • 2549

IDs & Statuses in NDC & ONE Order IDs... · 2019. 9. 30. · Candidate IDs - discussion. 6 • 44 Message (NDC, OO, SwO) • 100,503 Nodes • 6134 IDs & RefIDs • 3585 IDs • 2549

Documents
Raindrop Prelude

Raindrop Prelude

Documents
Regal Prelude

Regal Prelude

Real Estate
Prelude Tour

Prelude Tour

Documents
SHOWDOWN: Threat Stack vs. Red Hat AuditD

SHOWDOWN: Threat Stack vs. Red Hat AuditD

Engineering
Ponce Prelude

Ponce Prelude

Documents
Acquisition of IDS Group - STL IDS Group...Structure Ben Parker, IDS group CEO to continue leading IDS group with his management team IDS to be completely integrated into network services

Acquisition of IDS Group - STL IDS Group...Structure Ben Parker, IDS group CEO to continue leading IDS group with his management team IDS to be completely integrated into network services

Documents
IDS 11.7 – IDS Security Enhancements

IDS 11.7 – IDS Security Enhancements

Documents
Dashboard Prelude

Dashboard Prelude

Documents
The Next Stage in Linux IDS - Prelude-IDS and Auditd Presented By Gary Smith

The Next Stage in Linux IDS - Prelude-IDS and Auditd Presented By Gary Smith

Documents
Honda Prelude

Honda Prelude

Documents
IDS/IPS Definition and Classification. Contents Overview of IDS/IPS Components of an IDS/IPS IDS/IPS classification –By scope of protection –By detection

IDS/IPS Definition and Classification. Contents Overview of IDS/IPS Components of an IDS/IPS IDS/IPS classification –By scope of protection –By detection

Documents
Prelude Reference

Prelude Reference

Documents
Johnson - Prelude

Johnson - Prelude

Documents
Product code IDS SQUID IDS SQUID - IPE

Product code IDS SQUID IDS SQUID - IPE

Documents
IMDP Prelude

IMDP Prelude

Documents
IDS Search Built for Sharing. What is IDS Search?

IDS Search Built for Sharing. What is IDS Search?

Documents
Integrated Intrusion Detection Services for z/OS ......signatures IDS policy Service policy Service policy IDS policy IDS signature files IDS event data IDS event data Data is read

Integrated Intrusion Detection Services for z/OS ......signatures IDS policy Service policy Service policy IDS policy IDS signature files IDS event data IDS event data Data is read

Documents
Prelude Fug1

Prelude Fug1

Documents
db2demo Program Guide - ids-System GmbH - ids-System …

db2demo Program Guide - ids-System GmbH - ids-System …

Documents
1 Intrusion Detection System (IDS) Outlines Host-base IDS – Tripewire Network IDS – Snort How to defeat an IDS

1 Intrusion Detection System (IDS) Outlines Host-base IDS – Tripewire Network IDS – Snort How to defeat an IDS

Documents
User Manual IDS-3219 Series - …advdownload.advantech.com/productfile/Downloadfile3/1-123P64F/IDS... · User Manual IDS-3219 Series 19" Industrial Panel Mount Monitor. IDS-3219 User

User Manual IDS-3219 Series - …advdownload.advantech.com/productfile/Downloadfile3/1-123P64F/IDS... · User Manual IDS-3219 Series 19" Industrial Panel Mount Monitor. IDS-3219 User

Documents
Preludes and Fantasias - Music For BrassContents Prelude 1: Alla Marcia (quasi scherzando) Prelude 2: Allegro moderato Prelude 3: Alla Inno Fantasia: I. Allegro Prelude 4: Allegretto

Preludes and Fantasias - Music For BrassContents Prelude 1: Alla Marcia (quasi scherzando) Prelude 2: Allegro moderato Prelude 3: Alla Inno Fantasia: I. Allegro Prelude 4: Allegretto

Documents
-IDS (/B) Multi 3630/3620 IDS - Xylem Analytics

-IDS (/B) Multi 3630/3620 IDS - Xylem Analytics

Documents
Bach's Prelude

Bach's Prelude

Documents
Digital Video Recorder · 2018-11-07 · iDS-7208HUHI-K1/4S iDS-7204HUHI-K2/4S iDS-7208HUHI-K2/4S iDS-7300HUHI-K4/16S iDS-7316HUHI-K4/16S iDS-9000HUHI-K8/16S iDS-9016HUHI-K8/16S Symbol

Digital Video Recorder · 2018-11-07 · iDS-7208HUHI-K1/4S iDS-7204HUHI-K2/4S iDS-7208HUHI-K2/4S iDS-7300HUHI-K4/16S iDS-7316HUHI-K4/16S iDS-9000HUHI-K8/16S iDS-9016HUHI-K8/16S Symbol

Documents
IDS Network Operations Centre (NOC) IDS ServiceGuard™...IDS Security Operations Centre (SOC) The IDS Security Operations Centre proactively monitors, alerts and subsequently protects

IDS Network Operations Centre (NOC) IDS ServiceGuard™...IDS Security Operations Centre (SOC) The IDS Security Operations Centre proactively monitors, alerts and subsequently protects

Documents
PRELUDE “Prelude in B-minor, Op. 18” César Franck

PRELUDE “Prelude in B-minor, Op. 18” César Franck

Documents
Audit and IDS - Red Hatpeople.redhat.com/sgrubb/audit/audit-ids.pdf · Review audit system Learn a little about some threats Overview of IDMEF Introduction to prelude Linux Audit

Audit and IDS - Red Hatpeople.redhat.com/sgrubb/audit/audit-ids.pdf · Review audit system Learn a little about some threats Overview of IDMEF Introduction to prelude Linux Audit

Documents
Prelude and Fugue in C, BWV 486 - Prelude

Prelude and Fugue in C, BWV 486 - Prelude

Documents