Re: Low cost HID based IDS system

On Fri, 16 May 2003 15:17:24 +1000
"Zach Forsyth" <Zach.Forsyth@kiandra.com> wrote:

> Hi,

Hello,

> I just wanted to ask if anyone out there had some ideas in regards to

<Disclaimer: I am a Prelude developer>

I have absolutely idea if it would suit your needs, but you could consider using Prelude (http://www.prelude-ids.org/) in the following setup:

• At a central site, you deploy Prelude Manager + database + frontend
• At each client site, you deploy:

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

  + Prelude Manager configured to relay alerts to Manager on central site

  + Sensors configured to send alerts to site's Prelude Manager

This way alerts are transmitted sensor -> site manager -> central manager, where you can process them any way you want. Connections are SSL'd and authenticated, so the alert transmission over the Internet should be relatively secure ;). Alert transmission system is also designed to avoid losing alerts in case of failure
(http://www.prelude-ids.org/download/misc/pingwinaria/2003/html/img27.htm l).

The system would be similar to this one:

http://www.prelude-ids.org/download/misc/pingwinaria/2003/html/img21.html

(your site being Tier-1, clients being Tier-2 and possibly without databases)

Another graphic presentation you could find useful:

http://www.prelude-ids.org/download/misc/pingwinaria/2003/html/img19.html

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

(client's network at the bottom-right of the image).

Concerning the HIDS sensor(s): you may of course want to use something that does not have a possibility of direct logging to Prelude. However, if the HIDS product in question is capable of logging to a text file or to syslog, you can simply use Prelude LML to parse these logs and send to Prelude Manager in the format Prelude uses. If you were logging via syslog, you could do with one LML daemon per network (LML has its own syslog server). So the data flow would be: sensor -> Prelude LML (local) -> Prelude Manager (local) -> Prelude Manager (central).

It may be a problem that Prelude does not run on Win32, but the system can still be deployed if client can have one Linux/*BSD box on site to run Prelude Manager + Prelude LML on it.

And, BTW, you could deploy Prelude NIDS sensors at clients' sites as well...

> The per server cost is then low enough to keep clients interested and

Hm, Prelude is used in production environments (at least from what we are told ;)). And we aren't aware of any large delays being introduced by the alert relaying system...

Just my PLN 0.02 ;)

Krzysztof

-- 
// Krzysztof Zaraska * kzaraska (at) student.uci.agh.edu.pl
// 
http://mops.uci.agh.edu.pl/~kzaraska/ * 
http://www.prelude-ids.org/
// A dream will always triumph over reality, once it is given the chance.
//		-- Stanislaw Lem

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek