Host-based IDS look for local system configurations and behaviour, while network-based IDS look for network connections and looks for anomalies and common signatures.
IDS and IPS as firewall’s filters. There are Control Plane (looks after the OS and routing table) and the Forwarding Plane (makes decisions on routing and discarding). If something happens to the Control Plane, the device will still forward the traffic (really???).
By default IDS only listens 👂 the traffic. It’s usually connected to the span port on a switch. Looks for anomalies and sends alerts. Won’t take any actions by default, but can be configured in such a way. If the IDS is down, nothing is changed for the rest of the network, it’s still operating.
IPS takes actions on its own. It is not connected to the span port, but rather is a gateway. Before it inspects and allows a packet through, nothing can move forward. So, if IPS is down, everyone is down (unless there is some load balancing enabled or may be some policy for such cases). Positioned right after the router, edge device or a firewall.
Uses a mail server to send alerts. So, a mail server also has to be installed. Keeps its logs and configs in
apt-get install tripwire. Answer
yes to all questions promted.
/etc/tripwire/twcfg - is a config file.
twpol - list of files to watch for. Determines, whether critical files have changed.
tw.cfg - are the files produced after compilation of the previously mentioned ones.
twadmin --create-cfgfile --cfgfile tw.cfg.enc --site-keyfile site.key twcfg.txt:
--create-cfgfile- create config file,
--cfgfile tw.cfg.encto specify the file to create
--site-keyfile site.key- key to use
twcfg.txtfile to use
Now, creating a policy:
twadmin --create-polfile --cfgfile tw.cfg.enc --polfile tw.pol.enc --site-keyfile site.key twpol.txt:
--create-polfile- create policy file,
--cfgfile tw.cfg.encto specify the configuration file to use,
--polfile tw.pol.enc- the policy file to create
--site-keyfile site.key- key to use
twpol.txtfile to use
Initialize the database:
tripwire --init --cfgfile tw.cfg.enc --polfile tw.pol.enc --site-key site.key --local-keyfile local.key
To check the system for any critical files changes:
All these files need to be updates everytime you make changes to the policy or the configuration. The database needs to be updated as well.
Not just integrity checking (like Tripwire), but also some additional checking. It performs logs analysis and rootkit checking + process monitoring. Consists of two parts: a server and an agent. Server can only be installed on Linux, while an agent can also be installed on Windows.
Install the server
tar -xfv ossec-hids-version.tar.gz && cd ossec-hids-version to unpack the files.
Install the agent
cd /var/ossec/bin ./manage_agents > a > some IP > y > e # extract the key > 001 # agent id, copy the key
Install it on the Windows machine (for example). Now, connect to the server. On the server go to
cd ../logs && less ossec.log. You can
cd alerts and see the alerts.
apt install samhain && cd /etc/samhain. Open the config file.
samhain -t init -p info
In this file go to the Trusted User option and type something like the following:
TrustedUser = 104. Then run
samhain -t update.
samhain -t check then
cd /var/log/samhain and open the
Open a syslog file. Each system might have a sligtly different name for these. For example:
nano /etc/rsyslog.conf. Uncomment the line for UDP syslog reception. And for the clients now to log remotely to this machine, need to go through
/etc/rsyslog.d/ && nano 50-default.conf. Add something like
*.* @@IP:port to log everything remotely.
apt install logwatch
Reads all the logs and generates a summary.
cd /usr/share/logwatch. The configs in this folder will overwrite the configs from
logwatch.conf - is the general config file. Separately, there is a folder with lots of file, each for each specific log.
A network-based IDS usually monitors the network, logs it and alerts the admin if something catches its eye. Using a span port, you can run all the traffic through IDS. Another way to analyse the network is to get the network capture (for example,
pcap file) and check it with an IDS offline.
- Network Captures
- Browser protection
- Anti-virus 🦠
- Data loss prevention
- E-mail 📮
tcpdump -s 0 -w file.pcap
-s 0- grab the entire packet
w file.pcap- write to file.pcap
host <IP>- only capture particular IP address
-nn- don’t resolve hostnames or port names.
-E- decrypt IPSEC traffic by providing an encryption key.
-tttt- give maximally human-readable timestamp output.
e- display Ethernet header as well.
You can also use Wireshark for that. Or a Python 🐍 script. Or any other PL for that matter.
🧺 I want to see all TCP packets that have
184.108.40.206 source or destination IP address. Also, I would l like to get only those packets, that have destination port 80, assuming the web server is listening on port
For tcpdump 🌚 -
tcpdump src 192.168.1.65 and dst port 80.
For Wireshark 🦈 -
ip.src==192.168.1.65 and tcp.port==80.
For Python 🐍:
sudo apt-get install snort cat /etc/snort/dafault # or cat /etc/init.d/snort