Host-based IDS look for local system configurations and behaviour, while network-based IDS look for network connections and looks for anomalies and common signatures.
IDS and IPS as firewall’s filters. There are Control Plane (looks after the OS and routing table) and the Forwarding Plane (makes decisions on routing and discarding). If something happens to the Control Plane, the device will still forward the traffic (really???).
By default IDS only listens ๐ the traffic. It’s usually connected to the span port on a switch. Looks for anomalies and sends alerts. Won’t take any actions by default, but can be configured in such a way. If the IDS is down, nothing is changed for the rest of the network, it’s still operating.
IPS takes actions on its own. It is not connected to the span port, but rather is a gateway. Before it inspects and allows a packet through, nothing can move forward. So, if IPS is down, everyone is down (unless there is some load balancing enabled or may be some policy for such cases). Positioned right after the router, edge device or a firewall.
Tripwire
Uses a mail server to send alerts. So, a mail server also has to be installed. Keeps its logs and configs in /etc/tripwire.
To install: apt-get install tripwire. Answer yes to all questions promted. /etc/tripwire/twcfg - is a config file. twpol - list of files to watch for. Determines, whether critical files have changed. tw.pol, tw.cfg - are the files produced after compilation of the previously mentioned ones.
twadmin --create-cfgfile --cfgfile tw.cfg.enc --site-keyfile site.key twcfg.txt:
--create-cfgfile- create config file,--cfgfile tw.cfg.encto specify the file to create--site-keyfile site.key- key to usetwcfg.txtfile to use
Now, creating a policy:
twadmin --create-polfile --cfgfile tw.cfg.enc --polfile tw.pol.enc --site-keyfile site.key twpol.txt:
--create-polfile- create policy file,--cfgfile tw.cfg.encto specify the configuration file to use,--polfile tw.pol.enc- the policy file to create--site-keyfile site.key- key to usetwpol.txtfile to use
Initialize the database:
tripwire --init --cfgfile tw.cfg.enc --polfile tw.pol.enc --site-key site.key --local-keyfile local.key
To check the system for any critical files changes: tripwire --check.
All these files need to be updates everytime you make changes to the policy or the configuration. The database needs to be updated as well.
OSSEC
Not just integrity checking (like Tripwire), but also some additional checking. It performs logs analysis and rootkit checking + process monitoring. Consists of two parts: a server and an agent. Server can only be installed on Linux, while an agent can also be installed on Windows.
Install the server
tar -xfv ossec-hids-version.tar.gz && cd ossec-hids-version to unpack the files.
To start: /etc/init.d/ossec start.
Install the agent
cd /var/ossec/bin
./manage_agents
> a
> some IP
> y
> e # extract the key
> 001 # agent id, copy the key
Install it on the Windows machine (for example). Now, connect to the server. On the server go to cd ../logs && less ossec.log. You can cd alerts and see the alerts.
Samhain
apt install samhain && cd /etc/samhain. Open the config file.
samhain -t init -p info
vi /etc/samhain/samhainrc
In this file go to the Trusted User option and type something like the following: TrustedUser = 104. Then run samhain -t update.
To run
samhain -t check then cd /var/log/samhain and open the samhain-init.log and samhain.log.
Centralized logging
Open a syslog file. Each system might have a sligtly different name for these. For example: nano /etc/rsyslog.conf. Uncomment the line for UDP syslog reception. And for the clients now to log remotely to this machine, need to go through hell /etc/rsyslog.d/ && nano 50-default.conf. Add something like *.* @@IP:port to log everything remotely.
LogWatch
apt install logwatch
Reads all the logs and generates a summary.
cd /etc/logwatch, cd /usr/share/logwatch. The configs in this folder will overwrite the configs from cd /etc/logwatch.
logwatch.conf - is the general config file. Separately, there is a folder with lots of file, each for each specific log.
A network-based IDS usually monitors the network, logs it and alerts the admin if something catches its eye. Using a span port, you can run all the traffic through IDS. Another way to analyse the network is to get the network capture (for example, pcap file) and check it with an IDS offline.
- Snort
- Suricata
- Bro-IDS
- Network Captures
Endpoint protection:
- Browser protection
- Anti-virus ๐ฆ
- Data loss prevention
- E-mail ๐ฎ
tcpdump -s 0 -w file.pcap
-s 0- grab the entire packetw file.pcap- write to file.pcaphost <IP>- only capture particular IP address-nn- donโt resolve hostnames or port names.-E- decrypt IPSEC traffic by providing an encryption key.-tttt- give maximally human-readable timestamp output.-Xore- display Ethernet header as well.
You can also use Wireshark for that. Or a Python ๐ script. Or any other PL for that matter.
Common filters
๐งบ I want to see all TCP packets that have 1.1.1.1 source or destination IP address. Also, I would l like to get only those packets, that have destination port 80, assuming the web server is listening on port 80.
For tcpdump ๐ - tcpdump src 192.168.1.65 and dst port 80.
For Wireshark ๐ฆ - ip.src==192.168.1.65 and tcp.port==80.
For Python ๐:
Snort
sudo apt-get install snort
cat /etc/snort/dafault
# or
cat /etc/init.d/snort