|
1.
AIDE (Advanced Intrusion Detection Environment)
AIDE is a Host-Based Intrusion Detection System (HIDS), a free alternative to
Tripwire (if you already know Tripwire you should have no difficulties learning
the configuration file for AIDE). HIDS are used to detect changes to important
system configuration files and binaries, generally by making a unique
cryptographic hash for the files to be checked and storing it in a secure
place. On a regular basis (such as once a day), the stored "known-good" hash is
compared to the one generated from the current copy of each file, to determine
if that file has changed. HIDS are a great way to detect disallowed changes to
your system, but they take a little work to implement properly and make good use
of.
The configuration file is based on regular expressions, macros and rules for
files and directories. We have the following macros:
| Macro |
Description |
Syntax |
| ifdef |
If definded |
@@ifdef "name" |
| ifndef |
If not defined |
@@ifndef "name" |
| define |
Define a variable |
@@define "name" "value" |
| undef |
Undefine a variable |
@@undef "name" |
| ifhost |
if "hostname" |
@@ifhost "hostname" |
| ifnhost |
if not "hostname" |
@@ifnhost "hostname" |
| endif |
Endif must be used after any of the above macros except define and undef
|
@@endif |
These macros become very handy if you have more than one Gentoo box and want to
use AIDE on all of them. But not all machines run the same services or even have
the same users.
Next we have sets of flags to check for on files and directories. These are a
combination of permissions, file properties and cryptographic hashes
(i.e. checksums).
| Flag |
Description |
| p |
permissions |
| i |
inode |
| n |
number of links |
| u |
user |
| g |
group |
| s |
size |
| b |
block count |
| m |
mtime |
| a |
atime |
| c |
ctime |
| S |
check for growing size |
| md5 |
md5 checksum |
| sha1 |
sha1 checksum |
| rmd160 |
rmd160 checksum |
| tiger |
tiger checksum |
| R |
p+i+n+u+g+s+m+c+md5 |
| L |
p+i+n+u+g |
| E |
Empty group |
| > |
Growing logfile p+u+g+i+n+S |
And if AIDE is compiled with mhash support it supports a few other features:
| Flag |
Description |
| haval |
haval checksum |
| gost |
gost checksum |
| crc32 |
crc32 checksum |
Now you can create you own rules based on the above flags by combining them
like this:
Code Listing 1.1: Create a ruleset for AIDE |
All=R+a+sha1+rmd160
Norm=s+n+b+md5+sha1+rmd160
|
The last thing we need to create our own configuration file is to see how to add
a rule to a file or directory. To enter a rule, combine the file or directory
name and the rule. AIDE will add all files recursively unless you specify an
alternate rule.
| Flag |
Description |
| ! |
Don't add this file or directory. |
| = |
Add this directory, but not recursively. |
So lets watch a full blown example:
Code Listing 1.1: /etc/aide/aide.conf |
@@ifndef TOPDIR
@@define TOPDIR /
@@endif
@@ifndef AIDEDIR
@@define AIDEDIR /etc/aide
@@endif
@@ifhost smbserv
@@define smbactive
@@endif
# The location of the database to be read.
database=file:@@{AIDEDIR}/aide.db
# The location of the database to be written.
database_out=file:aide.db.new
verbose=20
report_url=stdout
# Rule definition
All=R+a+sha1+rmd160
Norm=s+n+b+md5+sha1+rmd160
@@{TOPDIR} Norm
!@@{TOPDIR}etc/aide
!@@{TOPDIR}dev
!@@{TOPDIR}media
!@@{TOPDIR}mnt
!@@{TOPDIR}proc
!@@{TOPDIR}root
!@@{TOPDIR}sys
!@@{TOPDIR}tmp
!@@{TOPDIR}var/log
!@@{TOPDIR}var/run
!@@{TOPDIR}usr/portage
@@ifdef smbactive
!@@{TOPDIR}etc/smb/private/secrets.tdb
@@endif
=@@{TOPDIR}home Norm
|
In the above example we specify with some macros where the topdir starts and
where the AIDE directory is. AIDE checks the /etc/aide/aide.db file
when checking for file integrity. But when updating or creating a new file it
stores the information in /etc/aide/aide.db.new. This is done so it
won't automatically overwrite the old db file. The option
report_URL is not yet implemented, but the author's intention was that
it should be able to e-mail or maybe even execute scripts.
The AIDE ebuild now comes with a working default configuration file, a helper
script and a crontab script. The helper script does a number of tasks for you
and provides an interface that is a little more script friendly. To see all
available options, try aide --help. To get started, all that needs to be
done is aide -i and the crontab script should detect the database and
send mails as appropriate every day. We recommend that you review the
/etc/aide/aide.conf file and ensure that the configuration
accurately reflects what is in place on the machine.
Note:
Depending on your CPU, disk access speed, and the flags you have set on files,
this can take some time.
|
Note:
Remember to set an alias so you get roots mail. Otherwise you will never know
what AIDE reports.
|
Now there is some risk inherent with storing the db files locally, since the
attacker will (if they know that AIDE is installed) most certainly try to alter
the db file, update the db file or modify /usr/bin/aide. So you
should create a CD or other media and put on it a copy of the .db file and the
AIDE binaries.
One can find information at the AIDE project page.
1.
Snort
Snort is a Network Intrusion Detection System (NIDS). To install and configure
it use the following examples.
Code Listing 1.1: /etc/conf.d/snort |
PIDFILE=/var/run/snort_eth0.pid
MODE="full"
NETWORK="10.0.0.0/24"
LOGDIR="/var/log/snort"
CONF=/etc/snort/snort.conf
SNORT_OPTS="-D -s -u snort -dev -l $LOGDIR -h $NETWORK -c $CONF"
|
Code Listing 1.1: /etc/snort/snort.conf |
var HOME_NET 10.0.0.0/24
var EXTERNAL_NET any
var SMTP $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var DNS_SERVERS [10.0.0.2/32,212.242.40.51/32]
var RULE_PATH ./
preprocessor frag2
preprocessor stream4: detect_scans detect_state_problems detect_scans disable_evasion_alerts
preprocessor stream4_reassemble: ports all
preprocessor http_decode: 80 8080 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace
preprocessor rpc_decode: 111 32771
preprocessor bo: -nobrute
preprocessor telnet_decode
include classification.config
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/shellcode.rules
include $RULE_PATH/policy.rules
include $RULE_PATH/porn.rules
include $RULE_PATH/info.rules
include $RULE_PATH/icmp-info.rules
include $RULE_PATH/virus.rules
# include $RULE_PATH/experimental.rules
include $RULE_PATH/local.rules
|
Code Listing 1.1: /etc/snort/classification.config |
config classification: not-suspicious,Not Suspicious Traffic,3
config classification: unknown,Unknown Traffic,3
config classification: bad-unknown,Potentially Bad Traffic, 2
config classification: attempted-recon,Attempted Information Leak,2
config classification: successful-recon-limited,Information Leak,2
config classification: successful-recon-largescale,Large Scale Information Leak,2
config classification: attempted-dos,Attempted Denial of Service,2
config classification: successful-dos,Denial of Service,2
config classification: attempted-user,Attempted User Privilege Gain,1
config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1
config classification: successful-user,Successful User Privilege Gain,1
config classification: attempted-admin,Attempted Administrator Privilege Gain,1
config classification: successful-admin,Successful Administrator Privilege Gain,1
# NEW CLASSIFICATIONS
config classification: rpc-portmap-decode,Decode of an RPC Query,2
config classification: shellcode-detect,Executable code was detected,1
config classification: string-detect,A suspicious string was detected,3
config classification: suspicious-filename-detect,A suspicious filename was detected,2
config classification: suspicious-login,An attempted login using a suspicious username was detected,2
config classification: system-call-detect,A system call was detected,2
config classification: tcp-connection,A TCP connection was detected,4
config classification: trojan-activity,A Network Trojan was detected, 1
config classification: unusual-client-port-connection,A client was using an unusual port,2
config classification: network-scan,Detection of a Network Scan,3
config classification: denial-of-service,Detection of a Denial of Service Attack,2
config classification: non-standard-protocol,Detection of a non-standard protocol or event,2
config classification: protocol-command-decode,Generic Protocol Command Decode,3
config classification: web-application-activity,access to a potentially vulnerable web application,2
config classification: web-application-attack,Web Application Attack,1
config classification: misc-activity,Misc activity,3
config classification: misc-attack,Misc Attack,2
config classification: icmp-event,Generic ICMP event,3
config classification: kickass-porn,SCORE! Get the lotion!,1
|
More information is at the Snort web site.
1.
Detecting malware with chkrootkit
HIDS like AIDE are a great way to detect changes to your system, but it never
hurts to have another line of defence. chkrootkit is a utility that scans
common system files for the presence of rootkits--software designed to hide an
intruder's actions and allow him to retain his access--and scans your system for
likely traces of key loggers and other "malware". While chkrootkit (and
alternatives like rkhunter) are useful tools, both for system
maintenance and for tracking an intruder after an attack has occurred, they
cannot guarantee your system is secure.
The best way to use chkrootkit to detect an intrusion is to run it
routinely from cron. To start, emerge
app-forensics/chkrootkit. chkrootkit can be run from the
command line by the command of the same name, or from cron with an entry
such as this:
Code Listing 1.1: Schedule chkrootkit as a cronjob |
0 3 * * * /usr/sbin/chkrootkit
|
|
Page updated July 19, 2010 |
|
Donate to support our development efforts.
|
|
|
