I've been working with some host-based IDS software on my (Linux) laptop lately. It had been bothering me for quite a while that I didn't have visibility into my system. If I were ever to suspect I had been owned, how would I know what files had changed on my drive? Especially on one of the Windows boxes I help support (mom and dad), AV's failure to detect anything is not proof that you're clean. New derivatives won't be seen by AV. And even when you know with certainty that you've been infected, how can you account for everything that's been altered? How can you confidently recover? You can't.
Without HIDS, you're totally blind.
Actually, even with HIDS, even though you're not totally blind, you're not omniscient either. But some is better than none. And so I've toyed around with two HIDS on my laptop: tripwire and OSSEC.
OSSEC is nice because it runs on multiple platforms -- you can use it in Linux, Windows (and Mac too, I think). It also offers more features than simple file checksumming, including a firewall and some AV capability. One big problem I've had so far is that I can't figure out how to get it to give me alerts in any way other than email (and the documentation is fairly sparse). Email alerts would actually be great, but so far I can't get them to work. So I have to manually inspect the alert log. Not good.
This is still work in progress, so I might eventually figure it out.
Tripwire was the first hids I tried, and because of the problems with OSSEC, I'm keeping it going. The problem with tripwire is that it is a bit cumbersome. I have it set up to run periodically as a cron job, which works nicely, and it works smoothly. The problem is that I have so many software updates (usually at least 2 security updates per week) that it is turning into a lot of work to keep the tripwire database updated.
Another problem I'm having with tripwire is that it keeps adding files that I think it shouldn't be -- despite the rules I've configured (probably incorrectly) -- leading to false positives. Log files, for example. I really don't care if they've changed. We want them to change constantly.
All of these changes and false positives increase the risk that I could miss an illegitimate file diff and have it accepted into the tripwire checksum db as a legitimate file state. Then I find myself guarding malice.
I'll keep toying with this, and might give some other hids a try. So far, it's better than nothing, but I'm not as happy as I'd hoped to be with the experience.
Without HIDS, you're totally blind.
Actually, even with HIDS, even though you're not totally blind, you're not omniscient either. But some is better than none. And so I've toyed around with two HIDS on my laptop: tripwire and OSSEC.
OSSEC is nice because it runs on multiple platforms -- you can use it in Linux, Windows (and Mac too, I think). It also offers more features than simple file checksumming, including a firewall and some AV capability. One big problem I've had so far is that I can't figure out how to get it to give me alerts in any way other than email (and the documentation is fairly sparse). Email alerts would actually be great, but so far I can't get them to work. So I have to manually inspect the alert log. Not good.
This is still work in progress, so I might eventually figure it out.
Tripwire was the first hids I tried, and because of the problems with OSSEC, I'm keeping it going. The problem with tripwire is that it is a bit cumbersome. I have it set up to run periodically as a cron job, which works nicely, and it works smoothly. The problem is that I have so many software updates (usually at least 2 security updates per week) that it is turning into a lot of work to keep the tripwire database updated.
Another problem I'm having with tripwire is that it keeps adding files that I think it shouldn't be -- despite the rules I've configured (probably incorrectly) -- leading to false positives. Log files, for example. I really don't care if they've changed. We want them to change constantly.
All of these changes and false positives increase the risk that I could miss an illegitimate file diff and have it accepted into the tripwire checksum db as a legitimate file state. Then I find myself guarding malice.
I'll keep toying with this, and might give some other hids a try. So far, it's better than nothing, but I'm not as happy as I'd hoped to be with the experience.
No comments:
Post a Comment