Aaron S. Joyner wrote:
What would you recommend instead, friendly security Guru? :) (You're not allowed to just leave it hangin' like that... ) :)
So there's signature based IDSs and anomaly based IDSs. Signature based IDSs are only as good as their signatures. Until recently, I used to think this was good enough. I know it sounds awful theoretical, that something might end up on your network that there wasn't a signature for, but I've seen it. I've seen stuff appear on a network that even the virus vendors don't have signatures for. Anomaly (behavior) based IDSs don't require your signatures to be up to date. They detect bad behavior, an email program attempting to invoke a shell, for instance. Of course, that usually requires the software to be running on a host.
Now, the problem with anomaly based IDSs is they have to learn, they have to be trained. A signature based IDS can be immediately effective. You put one into place and it'll start doing its thing. And if you do keep them up to date, they'll do a pretty good job. But you must be careful, put the wrong signature in place and you get a lot of false positives. Worse, you get a lot of false negatives, while feeling that you've somehow improved your security.
Unfortunately, I'm not aware of any free or open source anomaly based IDSs. But don't go the signature based IDS route with closed eyes. They really are only as good as their signatures. You should also keep in mind that they have no history. You cannot install a new signature and ask 'have I seen this behavior before?' My suggestions for open source IDS are threefold: snort, tripwire, and argus. Snort is a very solid IDS with a good community and a wide variety of signatures. Tripwire will act, somewhat, as an anomaly based IDS. It can detect changes in files that a signature based IDS wouldn't catch. And third, argus, can sort of act as a network anomaly based IDS. It can be used to look for patterns, it can be used with snort, and it can be used to ask 'after the fact' questions. You can look back in time and see if any of your servers connected, or attempted to connect, to a certain network port, or a certain server. Say you see a list posted of compromised webhosts that are used as relay for intruders to download additional malware. Combine snort and argus and you can detect if you had a system respond to the intrusion attempt. With argus, you can also look for responses. Check if an incoming response to port 80 is met with a response.
Like all things security, IDS should be done in layers. Don't throw snort out there and think you're done -- you aren't. It's not the be all, end all, and there -is- maintenance. If you don't keep those signatures up to date, you -are- done.
Bad security is worse than no security.
Mike -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
