Examining Tripwire And Samhain IDS Files Information Technology Essay

Identify tools that are used for Host-Based Intrusion Detection, focusing on Open-Source Tools. Show how these tools can be used to secure a host, how they operate (i.e. link with Questions A and B) and provide an example of a detected intrusion.

Host-based IDS like Tripwire and Samhain take a snapshot of the files on a computer and then generate alerts whenever there are unexpected changes to the permissions, ownership or content of a critical file. These can, for example, detect tampering with password files, system programs or security configurations. Host-based IDS are particularly useful on critical servers.

HIDS has the capability to detects the program which is being accessing some resources and discover that, when an application or a process has suddenly and strangely started modifying the system’s state database. HIDS t looks at the state of a system, its stored information, whether in RAM, in the file system, log files or elsewhere; and check that the contents of these appear as expected. If any abnormalities are felt then the HIDS will send a trigger to the user or the system administrator stating that such an activity has been performed on the concerned system the collects the log file and decodes analysed in various stages

A Few Open-Source tools that are used for Host-Based Intrusion Detection

1) OSSEC :

OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, real-time alerting and active response. It runs on most operating systems, including Linux, Opens, FreeBSD, MacOS, Solaris and Windows. OSSEC is an Open source Host based intrusion detection system (HIDS).Written by Daniel Cid, it was owned by Third Brigade in 2008, which was then acquired by Trend Micro in 2009.OSSEC works on File system integrity checks, .Registry monitoring on Windows. Active response. Commonly used for RTBL and Root kit detection. Monitor data points to identify malicious behaviour which follows the Anomaly detection or pattern matching. There are three modes which are Local, client, server. Client server model .Clients receive configuration from server. Clients send logs to server over an encrypted channel.OSSEC monitors specific logs by default, including Syslog, Apache http logs and Mail logs.OSSEC can be configured to monitor any log it can gain access to.OSSEC is an IDS service which can be used as an internally or offer the stakeholders .OSSEC allows the user to extend the security impact.OSSEC provide a greater visibility into the security attitude. Customization options allow OSSEC to meet the organizations specific security requirements. The main Advantages of OSSEC areLower false positive rate. If the HIDS detected the traffic it was definitely parsed by the target, Make use of existing hardware, not resource concentrated, won’t interrupt network architecture

OSSEC lets the user to customise the alert on unauthorized file system modifications and wicked behaviours relevant to the log files the applications OSSEC allows the users to customise incidents the user want to be alerted on the priority of critical incidents to e-mail and cell phones and pagers with an active response options to block an attack immediately is also available.

Key Features of OSSEC are

File Integrity Monitoring checks for any attacks or changes on the system files on the computers: which can be an attack, or a misuse of a user or even a typing error by a user, any file, directory or registry change will be alerted to the detect the changes and alert the user or the administrator when they happen system administrator. Log Monitoring: The operating system and application generates logs on the log file to let the user know what is happening with the application. OSSEC consolidates, analyze in stages and compare these logs to let the user or the administrator know in case of attack, misuse, errors, etc.Rootkit detection: Hackers usually hides their actions without leaving any fingerprints, using rootkit detection user can be notified when there is a Trojans, viruses, etc) change the system in this way. Active response will take instant responses when some intrusion happens. Block the process and attack right way

.

2) Server-M

ServerM is an extremely flexible signature-based host-based intrusion detection system (HIDS). Running as a Perl daemon, it uses little CPU, and is capable of detecting a wide range of intrusions. Signature language is powerful and alarm options varied.

3) Tripwire:

Tripwire is an open source security and data integrity tool for monitoring specific file changes on a system. Tripwire is defined by Peter Loshin of Computerworld magazine as “the art and science of sensing when a system or network is being used inappropriately or without authorization”. The main functionality of Tripwire is to check the integrity of important system files and directories in comparison with a baseline database and to trigger an alert when any changes occur within the predetermined policy. Tripwire is usually installed in a secure state, where the operating system along with any application software has not already been well tested before roll-out.

4) Samhain:

Samhain is a multi-platform, open source host-based HIDS for POSIX. The tool provides file integrity checking, rootkit detection, and more.

The Samhain host-based intrusion detection system (HIDS) provides file integrity checking and log file monitoring/analysis, as well as rootkit detection, port monitoring, detection of rogue SUID executables, and hidden processes.

Samhain been designed to monitor multiple hosts with potentially different operating systems, providing centralized logging and maintenance, although it can also be used as standalone application on a single host.

Samhain is an open-source multiplatform application for POSIX systems (UNIX, Linux, and Cygwin/Windows).