Re: [qubes-users] Intrusion detection daemons in VMs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 11/04/2016 10:35 AM, Zrubi wrote: > Another - currently implementable - way to use a proxy VM (as it > is currently used as a dnf/yum proxy) and install your desired > intrusion detection software there. Suricata is a good candidate > for such thing: https://suricata-ids.org/ > > (I would just need more time and more RAM to play with such things > ;) And finally now I have enough RAM, and got some time too :) Here is the result: http://zrubi.hu/en/2017/traffic-analysis-qubes/ Any comments and/or suggestions are welcome. - -- Zrubi -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJY/c20AAoJEH7adOMCkunmSu8P/A4jZDdD7DXhux8rQTI9n9ky r2ub1588ha3zy8I9Zb3fzQzPzes5YkhRFP8gAy972c94qRZsYesqeqh402ZBW/eL eIRGn6n+sFChGEjWSK18JzGbN82L4O5PXU/WPGSgEiKoYwij4gtRavqZ9KjSsS18 eSs/cRcy7qRIbpQzbHKamFiEBeH10nBT3LWZJ7KbGR4vitmSonKhzXTdcImmkisq 3T671O4pMbu3+njd6wg5HmI8aje4xzyj7nJ9Gyzvhz+Ymh+60KjIo54/I1SljLv6 jiju+I4164xHH3jSQOrcRCEibIl8GFcybl2ey3bYtuN93VF27xyxzku08GvhUWo1 rl6PjGIi8q7uhIttqBB549/HIj4ZOIJkE1NwlOBkIf4H+bVumbW3c7HJKWKFj+uR /+Dk++K1Lk4QDveZ3NGY7z3Eg2R42maAydLjj/lkRVHSCcJZ+aKNZGVhjOXGdPYu 3TcoODDVAV4Oj0jeUGqe7vN77N0KBO8isvdgyoLTubXZMxWbyNcIZLzqqWqZ9Vhf SXz2jX+GiyzxrY5AkNQ6JHhVrEhiNQGV4EXniaH3ehrX1RSmPko0dbyRJvGXEPoI qhBkrwKEkGDrCVPzVU0khGLy3QSz4LlHa9KsSO9/RMIN7W10C555s5g+kpSgxz7t SOjw2PMcOm+tvGdcwuDk =XRSk -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0f1b709b-7694-6611-e011-1d2608fb691b%40zrubi.hu. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Intrusion detection daemons in VMs
On 11/03/2016 11:42 PM, miguel.j...@gmail.com wrote: > Coming out of a discussion in > https://groups.google.com/forum/#!topic/qubes-users/hs2yapPlUVA > > I am interested, does anyone run intrusion detection tools within their VMs? Intrusion/virus detection inside the affected VM not really makes sense. However newer Xen versions has a nice feature: https://wiki.xenproject.org/wiki/Virtual_Machine_Introspection And already a real project using this feature: https://drakvuf.com/ That feature wound really make sense and would fit in Qubes philosophy pretty nicely. Another - currently implementable - way to use a proxy VM (as it is currently used as a dnf/yum proxy) and install your desired intrusion detection software there. Suricata is a good candidate for such thing: https://suricata-ids.org/ (I would just need more time and more RAM to play with such things ;) -- Zrubi -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/890bc090-fc22-9d91-b8bc-a8f55b1fa665%40zrubi.hu. For more options, visit https://groups.google.com/d/optout. signature.asc Description: OpenPGP digital signature
[qubes-users] Intrusion detection daemons in VMs
Coming out of a discussion in https://groups.google.com/forum/#!topic/qubes-users/hs2yapPlUVA I am interested, does anyone run intrusion detection tools within their VMs? I use OSSEC [1] extensively elsewhere (on servers), but not sure it would work so well in agent-server model in Qubes. 'local' mode would work, but I would still want to get notifications of events/attacks, even from vaulted VMs that can't send email. Since Qubes design suggests we should expect VM compromise, I think it makes sense to having something looking for such a compromise rather than just periodically rebuild my VMs (as I currently do). Anyone else looked into a nice solution? [1] http://ossec.github.io -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/de52cd24-e836-4153-86c4-2edfa4304447%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.