| Chapter 13. Simple Intrusion Detection TechniquesLast night someone came into my house and replaced everything with an exact duplicate. Steven Wright Comprehensive logging, preferably with automated monitoring and notification, can help keep you abreast of system security status (besides being invaluable in picking up the pieces after a crash or a security incident). But as a security tool, logging only goes so far: it's no more sophisticated than the operating-system processes and applications that write those log messages. Events not anticipated by those processes and applications may be logged with a generic message or, worse still, not at all. And what if the processes, applications, or their respective logs are tampered with? That's where Intrusion Detection Systems (IDS) come in. A simple host-based IDS can alert you to unexpected changes in important system files based on stored checksums. A network IDS (NIDS) can alert you to a potential attack in progress, based on a database of known attack signatures or even on differences between your network's current state and what the IDS considers its normal state. Some of these attacks (especially those at the application level, such as web exploits) might breeze through your firewalls. Multiple layers of defense are better than one. In the 2004 CSI/FBI Computer Crime and Security Survey (http://www.gocsi.com/), 98% of the organizations surveyed used a firewall, and 68% used an IDS. Between simple host-based IDSes and advanced statistical NIDSes, there is a lot of information I can't do justice to in one chapter: I highly recommend Northcutt's and Amoroso's books (listed in the "Resources" section at the end of this chapter) if you're interested in learning about this topic in depth. But as it happens, you can achieve a high degree of intrusion detection potential without a lot of effort, using free, well-documented tools such as Tripwire Open Source and Snort. This chapter describes some basic intrusion detection concepts and how to put them to work without doing a lot of work yourself. |