Hi, what are the recommended tools to add to a (dial-up) NAT gateway to detect attacks on that gateway? I am not (yet :->) looking for tools how to detect things after the deed is done, but for some kind of an early warning system (and I am not particularly interested in reading the raw logs emitted by ipchains). http://www.securityfocus.com/ lists a couple of things, but this seems to be just an *unreviewed* long list of tools, with rather unknown quality. TIA Stefan
On Thu, 4 Jan 2001, Stefan Hoffmeister wrote:
Hi,
what are the recommended tools to add to a (dial-up) NAT gateway to detect attacks on that gateway?
I am not (yet :->) looking for tools how to detect things after the deed is done, but for some kind of an early warning system (and I am not particularly interested in reading the raw logs emitted by ipchains).
lists a couple of things, but this seems to be just an *unreviewed* long list of tools, with rather unknown quality.
try snort (www.snort.org) or packemon (???) for networkbased attacks. they are easy to fool, but they are available for free. :-\ all open source hostbased IDS, that I know, suck. Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47
Pakemon http://www.inas.mag.keio.ac.jp/ids/pakemon/index.html Abacus Project http://www.psionic.com/abacus/ eye on exec http://www.cs.uni-potsdam.de/homepages/students/linuxer/ok.html AAFID http://www.cerias.purdue.edu/projects/aafid/ goodies for/and snort http://www.whitehats.com/ids/index.html [ ]'s bacano ----- Original Message ----- From: "Thomas Biege" <thomas@suse.de> To: "Stefan Hoffmeister" <suse.mailinglist@econos.de> Cc: <suse-security@suse.com> Sent: Thursday, January 04, 2001 11:48 AM Subject: Re: [suse-security] Intrusion detection?
On Thu, 4 Jan 2001, Stefan Hoffmeister wrote:
Hi,
what are the recommended tools to add to a (dial-up) NAT gateway to
detect
attacks on that gateway?
I am not (yet :->) looking for tools how to detect things after the deed is done, but for some kind of an early warning system (and I am not particularly interested in reading the raw logs emitted by ipchains).
lists a couple of things, but this seems to be just an *unreviewed* long list of tools, with rather unknown quality.
try snort (www.snort.org) or packemon (???) for networkbased attacks. they are easy to fool, but they are available for free. :-\
all open source hostbased IDS, that I know, suck.
Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
On Thu, 4 Jan 2001, bacano wrote:
Pakemon http://www.inas.mag.keio.ac.jp/ids/pakemon/index.html Abacus Project http://www.psionic.com/abacus/ eye on exec http://www.cs.uni-potsdam.de/homepages/students/linuxer/ok.html Eh, wow, ... I forgot. Yes, thats good idea, coz it's from me :> Next holiday I hopefully find time to port it to some other BSD's. Also extension of the weak-path concept would be cool. I'd appreciate help of experianced programmer's who could write detection-script on top of this driver.
bye, Sebastian
AAFID http://www.cerias.purdue.edu/projects/aafid/ goodies for/and snort http://www.whitehats.com/ids/index.html
[ ]'s bacano
----- Original Message ----- From: "Thomas Biege" <thomas@suse.de> To: "Stefan Hoffmeister" <suse.mailinglist@econos.de> Cc: <suse-security@suse.com> Sent: Thursday, January 04, 2001 11:48 AM Subject: Re: [suse-security] Intrusion detection?
On Thu, 4 Jan 2001, Stefan Hoffmeister wrote:
Hi,
what are the recommended tools to add to a (dial-up) NAT gateway to
detect
attacks on that gateway?
I am not (yet :->) looking for tools how to detect things after the deed is done, but for some kind of an early warning system (and I am not particularly interested in reading the raw logs emitted by ipchains).
lists a couple of things, but this seems to be just an *unreviewed* long list of tools, with rather unknown quality.
try snort (www.snort.org) or packemon (???) for networkbased attacks. they are easy to fool, but they are available for free. :-\
all open source hostbased IDS, that I know, suck.
Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
On Fri, 5 Jan 2001, Sebastian Krahmer wrote:
On Thu, 4 Jan 2001, bacano wrote:
Pakemon http://www.inas.mag.keio.ac.jp/ids/pakemon/index.html Abacus Project http://www.psionic.com/abacus/ eye on exec http://www.cs.uni-potsdam.de/homepages/students/linuxer/ok.html Eh, wow, ... I forgot. Yes, thats good idea, coz it's from me :> Next holiday I hopefully find time to port it to some other BSD's. Also extension of the weak-path concept would be cool. I'd appreciate help of experianced programmer's who could write detection-script on top of this driver.
check out CLIPS (http://www.ghgcorp.com/clips/CLIPS.html) *g* and not to forget Emerald's P-BEST expert system. SRI assembled a good knowledge base, but Emerald isn't opensource and it's limited to Solaris. nevertheless, hostbased IDS contains more parts, then just a syscall logger. syscall logging is a good source of information, but w/o databases, analysis agents and countermeasure agents, good scalability etc. it's useless in a production environment. A serious IDS is very complex. So, as I stated before: All non-commercial IDS I know _suck_! Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47
Thomas, Can you advice us a IDS that dont suck? I just use Linux at home so I'll probably keep using many things that suck, at least for try to learning how they suck, but others may need to know other IDS apps, for corporate use. http://website.lineone.net/~offthecuff/HIDS.htm (http://www.networkintrusion.co.uk) btw ... also many commercial stuff suck, in this case vulnerability scanners: http://www.nwc.com/1201/1201f1b1.html [ ]'s bacano ----- Original Message ----- From: "Thomas Biege" <thomas@suse.de> To: "Sebastian Krahmer" <krahmer@suse.de> Cc: "bacano" <bacano@esoterica.pt>; <suse-security@suse.com> Sent: Friday, January 05, 2001 5:24 PM Subject: Re: [suse-security] Intrusion detection?
On Fri, 5 Jan 2001, Sebastian Krahmer wrote:
On Thu, 4 Jan 2001, bacano wrote:
Pakemon http://www.inas.mag.keio.ac.jp/ids/pakemon/index.html Abacus Project http://www.psionic.com/abacus/ eye on exec http://www.cs.uni-potsdam.de/homepages/students/linuxer/ok.html Eh, wow, ... I forgot. Yes, thats good idea, coz it's from me :> Next holiday I hopefully find time to port it to some other BSD's. Also extension of the weak-path concept would be cool. I'd appreciate help of experianced programmer's who could write detection-script on top of this driver.
check out CLIPS (http://www.ghgcorp.com/clips/CLIPS.html) *g* and not to forget Emerald's P-BEST expert system. SRI assembled a good knowledge base, but Emerald isn't opensource and it's limited to Solaris.
nevertheless, hostbased IDS contains more parts, then just a syscall logger. syscall logging is a good source of information, but w/o databases, analysis agents and countermeasure agents, good scalability etc. it's useless in a production environment. A serious IDS is very complex. So, as I stated before: All non-commercial IDS I know _suck_!
Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Thomas, Can you advice us a IDS that dont suck? I just use Linux at home so I'll probably keep using many things that suck, at least for try to learning how they suck, but others may need to know other IDS apps, for corporate use. http://website.lineone.net/~offthecuff/HIDS.htm (http://www.networkintrusion.co.uk)
www.snort.org www.whitehats.com snort sucks up packets, whitehats provides the IDS signatures. Kurt Seifried, seifried@securityportal.com Securityportal - your focal point for security on the 'net
On Sat, 6 Jan 2001, Kurt Seifried wrote: hi,
Thomas, Can you advice us a IDS that dont suck? I just use Linux at home so I'll probably keep using many things that suck, at least for try to learning how they suck, but others may need to know other IDS apps, for corporate use. http://website.lineone.net/~offthecuff/HIDS.htm (http://www.networkintrusion.co.uk)
www.snort.org www.whitehats.com
snort sucks up packets, whitehats provides the IDS signatures.
Kurt Seifried, seifried@securityportal.com Securityportal - your focal point for security on the 'net IDS are just additional tools wich should be installed. In doubt, I won't trust its messages, I'd just use it to detect kiddies' portscans.
Sebastian
On Sat, 6 Jan 2001, bacano wrote:
Thomas,
Hi,
Can you advice us a IDS that dont suck?
First you have to answer yourself some question: What do I want to protect? What attacks (insider, outsider) do I want to detect? How many machines do I want to protect? How much money do I want to spent? Ok. If it's your home network, then I would advise you to use a packetfilter + Snort + a file integrity checker (don't use tripwire, because it's old code) + C(ryptedF(ile)S(ystem) (if needed) Snort is well maintained, so it will become better and better in (relatively) short time intervals. At my home network, I have a OpenBSD Router, which has one interface connected to my internal network and another one connected to a DMZ. The Router uses IPFilter for filtering and Snort as NIDS. Snort just listens to the internal interfaces, because I don't want to be alarmed by every stupid attack that ipf is able to block. :-) The DMZ hosts a Proxy server (stripped down SuSE 7.0) and a Honeypot for detecting and studying attacks. (And a RS/6000, as development machine, but that doesn't matter.) ;) If you are looking for a IDS for your company, then I would advise you to the following book: Proctor; The practical Intrusion Detection Handbook; Prentice Hall It describes the basics of IDS, shows the pros and cons of the different IDS architectures/phylosophies, and has a chapter just for describing commercial IDS. There are two other IDS books, that I have listed in my 'Book Review' table at my home page (www.suse.de/~thomas) Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47
(don't use tripwire, because it's old code) + C(ryptedF(ile)S(ystem) (if needed)
Nothing inherently wrong with old code (except that 99 times out of a 100 it has security flaws =(, and tripwire is being actively maintained, tripwire.com and tripwire.org, Red Hat 7.0 ships with a modern version of Tripwire (hint =).
Snort is well maintained, so it will become better and better in (relatively) short time intervals.
Yup. I know people on it, they are smart. SANS is moving a lot of their curiculum and books from covering shadow (made by US navy, was quite good) to snort (which is kicking ass).
At my home network, I have a OpenBSD Router, which has one
Gasp. I am shocked (I should write the headline "Suse sekurity guru sez OpenBSD is da bomb" (it's a joke, for readers that are humour impaired ;).
If you are looking for a IDS for your company, then I would advise you to the following book: Proctor; The practical Intrusion Detection Handbook; Prentice Hall
Another good one is: Network Intrusion Detection. An Analyst's Handbook. ISBN - 0-7357-1008-2 We also have a mega IDS comparision article coming soon on SecurityPortal.
There are two other IDS books, that I have listed in my 'Book Review' table at my home page (www.suse.de/~thomas)
Hmm yeah you only gave the above title 3 stars? BTW that wasn't my orgasmatron (belonged to someone else, honest).
Bye, Thomas
-Kurt (who should be asleep but isn't).
At my home network, I have a OpenBSD Router, which has one
Gasp. I am shocked (I should write the headline "Suse sekurity guru sez OpenBSD is da bomb" (it's a joke, for readers that are humour impaired ;).
:-) It's a 486 with 24 MB RAM. Much too less power for modern Linux distributions. And I dislike the Linux packetfilter code, I prefer ipfilter.
If you are looking for a IDS for your company, then I would advise you to the following book: Proctor; The practical Intrusion Detection Handbook; Prentice Hall
Another good one is: Network Intrusion Detection. An Analyst's Handbook. ISBN - 0-7357-1008-2
I really dislike this book. It's a waste of time.
There are two other IDS books, that I have listed in my 'Book Review' table at my home page (www.suse.de/~thomas)
Hmm yeah you only gave the above title 3 stars?
Jupp. This book has no real and needful information about today IDS reseach or IDS products. I'm sad about every euro I payed for that book. Maybe I'll use it for cleaning the cage of my girlfriends guinea pigs. ;-)
BTW that wasn't my orgasmatron (belonged to someone else, honest).
Oh, I always thought it was your's. ;-) Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47
On other IDS topic remember that if you put it in front of your firewall it will detect attack attempts, on the inside those are intrusions (it's time to deal with it NOW).
Hmm yeah you only gave the above title 3 stars?
Jupp. This book has no real and needful information about today IDS reseach or IDS products. I'm sad about every euro I payed for that book. Maybe I'll use it for cleaning the cage of my girlfriends guinea pigs. ;-)
It covers a lot of basic theory which is good (like what IDS's can and cannot do, what they suck at, etc.). Books that cover specific technologies are almost always outdated 6 months before they even get published :P.
BTW that wasn't my orgasmatron (belonged to someone else, honest).
Oh, I always thought it was your's. ;-)
Even if it was there is no way you can prove it. Not that I'm saying it is mine. Because it isn't. nosireee, not mine.
Bye, Thomas
-Kurt
Hmm yeah you only gave the above title 3 stars?
Jupp. This book has no real and needful information about today IDS reseach or IDS products. I'm sad about every euro I payed for that book. Maybe I'll use it for cleaning the cage of my girlfriends guinea pigs. ;-)
It covers a lot of basic theory which is good (like what IDS's can and cannot do, what they suck at, etc.).
His book, doesn't tell my something new. And it was the first book I bought about the IDS issue.
Books that cover specific technologies are almost always outdated 6 months before they even get published :P.
Not really. IDS research is old. And alot of analysis technics, that are used in the early 80's are still useful today. A good overview about (nearly) all technics are described in: Rebecca Bace; Intrusion Detection; MTP That's a _really_ good book. And Ms. Bace has a better background, then Mr. Northcutt. (But maybe he's a better cook, I don't know. *g*) Nevertheless, IDS is a very complex and wide ranged research area, it's hard to stay uptodate. So, it essential to have a good starting point, which couldn't be a book, like the one of Northcutt. Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47
On Mon, 8 Jan 2001 12:48:40 +0100 (CET), you wrote:
(don't use tripwire, because it's old code) + C(ryptedF(ile)S(ystem)
Ummm, some nice utils are old code too and continue being used. Why don't you like Tripwire? Which is your recommended choice then? =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ** RoMaN SoFt / LLFB ** roman@madrid.com http://pagina.de/romansoft ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
On Mon, 8 Jan 2001, RoMaN SoFt / LLFB!! wrote:
On Mon, 8 Jan 2001 12:48:40 +0100 (CET), you wrote:
(don't use tripwire, because it's old code) + C(ryptedF(ile)S(ystem)
Ummm, some nice utils are old code too and continue being used. Why don't you like Tripwire?
the old tripwire code isn't maintained, so it maybe full of bugs.
Which is your recommended choice then?
Hm, I don't know, because I don't use one. I think other people on this list could help you. But it's wise not to check /home, /var/tmp and /tmp and alike, to reduce the possibility of negativ interactions w/ malicious filenames. Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47
Ummm, some nice utils are old code too and continue being used. Why don't you like Tripwire?
the old tripwire code isn't maintained, so it maybe full of bugs.
The original tripwire cold is essentially dead yes. There is current code however at tripwire.com and tripwire.org, which redhat ships in 7.0. Nothing wrong with it. -Kurt
At 12:39 PM 1/4/01 +0100, Stefan Hoffmeister wrote:
Hi,
what are the recommended tools to add to a (dial-up) NAT gateway to detect attacks on that gateway?
I am not (yet :->) looking for tools how to detect things after the deed is done, but for some kind of an early warning system (and I am not particularly interested in reading the raw logs emitted by ipchains).
well you can try lids (www.lids.org), it's a patch in kernel which can make your linux more secure and has built in scanner detector.
On Thu, 4 Jan 2001, Stefan Hoffmeister wrote:
Hi,
what are the recommended tools to add to a (dial-up) NAT gateway to detect attacks on that gateway?
I am not (yet :->) looking for tools how to detect things after the deed is done, but for some kind of an early warning system (and I am not particularly interested in reading the raw logs emitted by ipchains).
lists a couple of things, but this seems to be just an *unreviewed* long list of tools, with rather unknown quality.
TIA Stefan
hi, At first I'd recommend to let the firewall log bogous packets. Maybe you also want to install an IDS which reports scans, overflow attempts etc. in a more human readable form. On www.snort.org there is a free one avail. But, don't trust when it sais nothing. During analyzation of such systems in-lab we realized that some of them can be bypassed. Thus, don't run IDS alone. Always run firewall and enable ip_always_defrag in kernel :) bye, Sebastian
participants (7)
-
bacano
-
Irwan Hadi
-
Kurt Seifried
-
RoMaN SoFt / LLFB!!
-
Sebastian Krahmer
-
Stefan Hoffmeister
-
Thomas Biege