Intrusion detection, integrity checks: IDS, NIDS, HIDS, Antivirus, software

Hi, I found this reference information for people who wants to get rich knowlege about sysadmin.. (Part 3)

Part1 - Basics, important sites, HOWTO's, handbooks, hardening, tips
Part2 - Netfilter, firewall, Iptables, Ipchains, DoS, DDoS
Part3 - Intrusion detection, integrity checks: IDS, NIDS, HIDS, Antivirus, software
Part4 - Chroot, chrooting, jailing, comparimization
Part5 - Forensics, recovery, undelete
Part6 - Securing networked services

Part3 - Intrusion detection, integrity checks: IDS, NIDS, HIDS, Antivirus, software

Note: vulnerability checking: CIS, SATAN, COPS, Tiger

FAQ: Network Intrusion Detection Systems:
Sniffin' the Ether v2.0:
Lotek sniffing docs:
Defeating Sniffers and Intrusion Detection Systems, Phrack,

The IDS acronym game:

IDS: Intrusion Detection System refers to an application able to examine traffic for attributes and properties that mark "benign", suspicious, restricted, forbidden or outright hostile activities.

NIDS: Network IDS refers to Intrusion Detection, like running "sensors" on various sentry or sniffer hosts while logging and/or logprocessing and alerting is done on a central host (many-to-one topology).
NIDS examples are:
OSSIM (Snort+Acid+mrtg+NTOP+OpenNMS+nmap+nessus+rrdtool):
Panoptis (DoS, DDoS only):
Some commercial/non OSS examples: Demarc PureSecure, Cisco Secure IDS (NetRanger), ISS Real Secure, Axent Net Prowler, Recourse ManHunt, NFR Flight Recorder, NAI CyberCop Network, Enterasys Dragon and Okena Stormfront/Stormwatch.
Snort also is available commercially these days.

HIDS: Host-based IDS. The HIDS acronym itself is subject to flamewars.
IDS examples are Snort, Shoki, Prelude, Defenseworx, Pakemon, Firestorm and Panoptis (DoS, DDoS only).

IPS: Intrusion Protection System. Passive or active (learning, like the heuristics stuff?) enforcement of rules at the application, system or access level. I suppose we're looking at stuff like Grsecurity, Solar Designer's Open Wall, LIDS, LOMAC, RSBAC, Linux trustees, Linux Extended Attributes, LIDS or Systrace here.
Commercial/non OSS examples: Entercept, ISS RealSecure, Axent Intruder Alert Manager, Enterasys' Dragon, Tripwire, Okena and CA's eTrust.

Intrusion Detection Systems: An Introduction:
Intrusion Detection FAQ (SANS, handling ID in general):
Basic File Integrity Checking (with Aide): (IDS, NIDS, File Integrity Checkers)

Snort basics:
Using Snort as an IDS and Network Monitor in Linux (SANS, PDF file):
Snort: IDS Installation with Mandrake 8.2, Snort, Webmin, Roxen Webserver, ACID, mysql:
ArachNIDS (Snort/Dragon/Defenseworx/Pakemon/Shoki rule, research and info library):
Intrusion Detection and Network Auditing on the Internet:
Snort Stealth Sniffer: Paranoid Penguin: Stealthful Sniffing, Intrusion Detection and Logging:

Dropping Packets with Snort:
Why not to use Snort's "flexresp":
Guardian: see the Snort tarball, in the contrib dir.

Snort GUI's, management, log reporting and analysis:
Snort Unified Logging: Barnyard: (Sourceforge)
Snort Unified Logging: Logtopcap
Snort Unified Logging: Mudpit
Analysis Console for Intrusion Databases (ACID):
HOWTO Build Snort with ACID:
SPADE, Snortsnarf:
Enabling Automated Detection of Security Events that affect Multiple Administrative Domains:
Demarc (commercial):
Oinkmaster (rulemanagement):
Snort alert mailer (C or .pe?r?l?):
Pig Sentry:
IDS Policy Manager Version (W32):
Snort_stat: /var/log/snort/alert | /usr/lib/sendmail
Swatch: ./swatch -c /root/.swatchrc --input-record-separator="\n\n" --read-pipe="tail -f /var/log/snort/alert" --daemon
Swatch + Hogtail.

Snort vs Abacus Portsentry:
Snort and PortSentry compared:

Comparison of IDSs ( NFR NID, Snort, INBOUNDS, SHADOW, Dragon, Tripwire):

Snort help, mailinglist (archives), honeypots:
Snort: database support FAQ:
Snort mailinglists, Aims:
Snort IDS forum at
Baby steps with a honeypot:
Honeypot & Intrusion Detection Resources:
The TCP Flags Playground (Mailinglist, Neohapsis):

Snort + 802.11 aka Wireless:

Sniffing (network wiretap, sniffer) FAQ:
Apps, network monitoring (index):

An Analysis of a Compromised Honeypot (Snort+Ethereal):
To add: Firestorm NIDS, Barnyard, Mudpit, Snort GUI's, add-ons etc etc.

Snort on two interfaces, solution one: "-i bond0".
Valid-for: running one Snort instance, multiple promiscuous mode interfaces except the mgmnt one.
Caveat: none
See-also: Documentation/networking/bonding.txt
Do once: "echo alias bond0 bonding >>/etc/modules.conf"
At boot: "ifconfig bond0 up; ifenslave bond0 eth0; ifenslave bond0 eth1"
At boot: start Snort with interface arg "-i bond0"

Snort on two interfaces, solution two: "-i any"
Valid-for: running one Snort instance, all interfaces.
Caveat: you loose promiscuous mode.
At boot: start Snort with interface arg "-i any" and a BPF filter to stop it from logging the loopback device.

File Integrity Detection Systems:
Checking a filesystem's contents against one or more checksums to determine if a file (remember anything essentially is a file on a Linux FS) has been changed.
Examples are:
Aide: (for remote mgmnt see also ICU or RFC which handles Aide, Integrit and Afick)
Samhain: (for remote mgmnt see docs)
Tripwire (for remote mgmnt see FICC:
Chkrootkit (not only Linux):
Rootkit Hunter (not only Linux):

Commercial/non OSS examples: Versioner, GFI LANguard System Integrity Monitor, Ionx's Data Sentinel, Tripwire for Servers and Pedestal Software Intact.
File Integrity (SecurityFocus, tools list):

Viruses on Linux/GNU,

Sendmail, Tcpdump, OpenSSH, TCP Wrappers, Aide and some other projects have suffered from people succeeding to inject malicious code, and of those only Sendmail and OpenSSH where at main servers, the rest where mirrors AFAIK. Even though all the apps mentioned are safe to use, and the differences where noted soon, the real problem is you I. have to have the knowledge to read code, and II. the discipline to read the code each time and question any diffs or III. have minimal "protection" in place to cope with like rogue compiled apps "phoning home". Which in essence means to end users any SW provided w/o means to verify integrity of the code and the package should be treated with care, instead of accepting it w/o questioning.

As for the "virus" thingie I wish we, as a Linux community, try to "convert" people away from the typical troubles of Pitiful Operating Systems (abbrev.: POS, aka the MICROS~1 Game Platform) and direct them towards what's important to know wrt Linux: user/filesystem permissions, b0rken/suid/sgid software, worms, trojans and rootkits.

Basic measures should be:
- Using (demanding) source verification tru GPG or minimally md5sums,
- Watch system integrity (Aide, Samhain, Tripwire or any package mgr that can do verification: save those databases off-site, also see Tiger, Chkrootkit),
- Harden your systems by not installing SW you don't need *now*, denying access where not needed and using tools like Bastille-linux, tips from Astaro,
- Patch kernel to protect looking at/writing to crucial /proc and /dev entries and/or use ACL's (see Silvio Cesare's site, Grsecurity, LIDS),
- Watch general/distro security bulletins and don't delay taking action (Slapper, Li0n etc),
- Keep an eye on outgoing traffic (egress logging and filtering),
- Don't compile apps as root but as a non-privileged user,
- Inspect the code if you can,
- Don't use Linux warez,
But most of all: use common sense.

*If you're still not satisfied you've covered it all you could arm yourself with knowledge on forensics stuff like UML, chrooting, disassembly and honeypots.

If you want to find Antivirus software, Google the net for Central Command, Sophos, Mcafee, Kaspersky, H+BEDV, Frisk, RAV, Clam, Amavis, Spam Assassin, Renattach, Ripmime, Milter or Inflex.
- AV SW is as good as it's signatures/heuristics. Some vendors don't update their Linux sig db's very well, or field SW with lacking capabilities. I've tested some (admittedly a long time ago) on my virus/trojan/LRK/malware libs. Bad (IMHO): Frisk's F-Prot (sigs), Clam (sigs), H+BEDV (libc version). Good (IMNSHO): Mcafee's uvscan (best) and RAV (2nd). Please do test yourself.
- AFAIK only KAV (Kaspersky) has a realtime scannerdaemon. I'm in limbo about it's compatibility with recent kernels tho.

Links to check out:
LAVP/Mini-FAQ Linux/Unix AV SW,
NIST (list of AV vendors),

Original Source: