Re: Advice on using intrusion detection

[Aaron Mason]

On Sun, Nov 22, 2020 at 1:14 AM Nick Holland
 wrote:
>
> On 2020-11-20 17:15, Erik Lauritsen wrote:
> > Is it recommended to run some kind of intrusion detection on an
> > OpenBSD router/firewall?
> >
> > I suspect that any kind of system like Snort or Suricata will give a
> > lot of false positives?
>
> [SNIP]
>
> One thing I have been doing for a while is rsync --link-dest backups of
> systems, both in-house and at various workplaces.  FANTASTIC tool,
> giving incredibly "useful" backups, with relatively low impact and
> resource requirements.  My I use a -v on rsync to get verbose backups,
> and log it to a file.
>
> Just recently, I realized these logs are basically a "changed file"
> report, which is a starting point for a file alteration reporting
> tool.  Combine that with a carefully crafted "ignore" file (you
> can do that with a grep -vf ignorefile logfile), and you have an
> interesting file monitoring system.
>

This sounds similar to what I do with logs - something Marcus Ranum
called "artificial ignorance". Using grep, you fill a file with
patterns to remove things you know aren't interesting, and once you
apply it to your logs what remains will absolutely be interesting.  If
anything else uninteresting shows up, update the pattern file to
filter those entries out. I used this method on the logs of my
OpenBSD-based Request Tracker server and found that the reason a
commercial piece of software running on a Hyper-V virtual machine kept
needing to be reactivated was because the server's MAC address would
regularly change if you left it set to Dynamic.  Really, Microsoft?

> The painful part with any such system is crafting the list of what
> to ignore vs. what to panic over.  Everyone wants to tick the
> checkbox that says "We have an intrusion detection system", and
> everyone wants one of two results: "No problem" and "intruder
> detected".  So far, I don't think any tool does that.  An IDS
> without careful human monitoring is just for show (and it's a
> potential security risk of its own), and more likely to be the
> cause of a problem than a solution.  Careful monitoring takes
> time and resources.
>

Problems like "we're only getting 56Mbps from our 1000mbit fibre
connection". Yes, really. Bypassing the IDS/IPS actually led to better
performance - or at least better numbers on the speed test. You got
some 'splaining to do, Sophos.

> One nifty thing I have found in "rolling my own" is that I found
> a lot of little oddities, no security problems, but things that
> needed fixing.  I'd call that a win.
>

Exactly, it just takes effort.  Something that is in short supply
whether by overwork or laziness.

> Nick.
>


-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse

Re: Advice on using intrusion detection

[Peter Nicolai Mathias Hansteen]

> 22. nov. 2020 kl. 02:02 skrev Predrag Punosevac :

> OpenBSD is all about prevention and exploit mitigation. Code simplicity,
> correctness, and code audit are all examples of intrusion prevention
> methods. They don't sound very sexy :-) If you are super new to OpenBSD
> Peter just gave a really nice virtual talk which can be found on the net
> 
> https://home.nuug.no/~peter/openbsd_and_you/#12

Thanks for pointing to that one :)

This OpenBSD Journal (aka undeadly.org) entry has a link to the video and the 
slides: https://undeadly.org/cgi?action=article;sid=20201109055713 


All the best,
Peter


—
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: Advice on using intrusion detection

[Predrag Punosevac]

On 2020-11-20 17:15, Erik Lauritsen wrote:
> Is it recommended to run some kind of intrusion detection on an
> OpenBSD router/firewall?
> 

What do you mean by "some kind of intrusion detection" (IDS). At the
risk of sounding patronizing I would start by clarifying terminology.
I got confused by Nick's answer as he started talking about Intrusion
Prevention Systems when you asked about Intrusion Detection Systems. 

In layman's terms Intrusion Prevention Systems are trying to keep the
bad buys out before they get into your system. Intrusion Detection
Systems are postmortem tools. They are useful for detecting that your
system is compromised. Both IPS and IDS can be further roughly divided
into host (file) based systems or network based systems. Some tools are
easier to classify than other. For example it would seems logical to me
to classify OpenBSD packet filter (PF) as an example of a network
intrusion prevention system. On the another hand, log file monitoring
could be useful both for preventing but also for detecting intrusion so
the above classification is really blurry.

OpenBSD is all about prevention and exploit mitigation. Code simplicity,
correctness, and code audit are all examples of intrusion prevention
methods. They don't sound very sexy :-) If you are super new to OpenBSD
Peter just gave a really nice virtual talk which can be found on the net

https://home.nuug.no/~peter/openbsd_and_you/#12


Now going to your original question. What about Intrusion Detection
Systems? While as an OpenBSD user would like to think that I am a bit
ahead of guys using more complicated OSs, I am not delusional to assume
that my systems can't be compromised. There is a saying that the OS is
as secure as the person who configured it. In spite of using OpenBSD for
almost 15 years now including at work I frequently get amazed by my own
incompetence so I am 100% sure my systems are not super secure.
Therefore (and due to other contractual obligations) I do use Intrusion
Detection Systems.

The concept of IDS can be divided into two classes. These are Host IDS
(HIDS)
and Network (NIDS).

   IDS
/   \
 HIDS   NIDS
   Host IDS Network IDS
  Inspecting Host Inspecting Network



Host based intrusion detection HIDS for short. An example would be
Tripwire (not available on OpenBSD) or a free alternative security/aide.
Even better. OpenBSD comes with mtree(8) utility. It is dead easy to
turn on HIDS on your OpenBSD firewall. You can also check hack 58 (Use
mtree as a Built-in Tripwire).

https://www.oreilly.com/library/view/bsd-hacks/0596006799/

I would put Nick's rsync hack into this category.

> I suspect that any kind of system like Snort or Suricata will give a
> lot of false positives?o

These two fall into the category of Network Based Intrusion Detection
Systems. I would add to that group zeek (formerly known as Bro). 
I do run Suricata and I do run Zeek on OpenBSD. While turning them on is
trivial getting them to do anything useful (in particularly Zeek which
more of an infrastructure for building NIDS) is not for the faint of
heart. 

I also run OSSEC on OpenBSD which is oftenly misclassified as HIDS only.
Configured properly it is actually useful in monitoring all sorts of log
files including network logs so it is kind both HIPS and NIPS. An for
the record I do recommend running centralized login server. 

Intrusion Prevention and Intrusion Detection are active research areas
and I am not talking about superficial level. It is actual real research
on the cusp of computer science, mathematics, statistics, and few other
things people commonly refer these days as artificial intelligence,
machine learning, and statistical data mining. 

https://www-users.cs.umn.edu/~lazar027/intrusion_detection.htm

As my expertise is in applied dynamical systems (math-physics) I should
wrap up this email before too much garbage comes out of my mouth . I
have seen people giving a low level  Network System monitoring,
Intrusion detection presentations at various BSD conferences.

https://papers.freebsd.org/2017/vbsdcon/shirk-the_state_of_network_security_tools_on_bsd/

https://www.bsdcan.org/2004/papers/sguil.pdf

https://www.ibm.com/developerworks/library/se-intrusion/index.html

I did read a few low level books on the topic but I neither have
professional nor research interest in the topics. Here are two of those:

The Practice of Network Security Monitoring: Understanding Incident
Detection and Response

https://www.amazon.com/Practice-Network-Security-Monitoring-Understanding/dp/1593275099

Tao of Network Security Monitoring, The: Beyond Intrusion Detection

https://www.amazon.com/Tao-Network-Security-Monitoring-Intrusion/dp/0321246772
Cheers,
Predrag

Re: Advice on using intrusion detection

[Nick Holland]

On 2020-11-20 17:15, Erik Lauritsen wrote:
> Is it recommended to run some kind of intrusion detection on an
> OpenBSD router/firewall?
> 
> I suspect that any kind of system like Snort or Suricata will give a
> lot of false positives?

MY philosophy is it is much easier to keep 'em out than to find 'em
once they are in.  And the odds of an intruder popping you firewall's
security is relatively low.  Be far more suspect of things BEHIND your
firewall.

So...my answer to your question is, "no, I wouldn't recommend any kind
of add-on intrusion detection to an OpenBSD Firewall".  The simpler
your firewall, the better.  The only package I put on my firewalls is
rsync for backup purposes.

Application server?  Now that's another story, perhaps.  

One thing I have been doing for a while is rsync --link-dest backups of
systems, both in-house and at various workplaces.  FANTASTIC tool,
giving incredibly "useful" backups, with relatively low impact and
resource requirements.  My I use a -v on rsync to get verbose backups,
and log it to a file.

Just recently, I realized these logs are basically a "changed file"
report, which is a starting point for a file alteration reporting
tool.  Combine that with a carefully crafted "ignore" file (you
can do that with a grep -vf ignorefile logfile), and you have an
interesting file monitoring system.

The painful part with any such system is crafting the list of what
to ignore vs. what to panic over.  Everyone wants to tick the
checkbox that says "We have an intrusion detection system", and
everyone wants one of two results: "No problem" and "intruder
detected".  So far, I don't think any tool does that.  An IDS
without careful human monitoring is just for show (and it's a
potential security risk of its own), and more likely to be the
cause of a problem than a solution.  Careful monitoring takes
time and resources.

One nifty thing I have found in "rolling my own" is that I found
a lot of little oddities, no security problems, but things that
needed fixing.  I'd call that a win.

Nick.

Advice on using intrusion detection

[Erik Lauritsen]

Is it recommended to run some kind of intrusion detection on an OpenBSD 
router/firewall?

I suspect that any kind of system like Snort or Suricata will give a lot of 
false positives?

Kind regards,
Erik