Results 1 to 9 of 9

Thread: Host-based Intrusion Detection Systems (HIDS)

Threaded View

  1. #1
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Host-based Intrusion Detection Systems (HIDS)

    Host-based Intrusion Detection Systems (HIDS)

    Intrusion detection can be divided into three broad categories: NIDS, HIDS, and vulnerability scans. In this post I will review several options for HIDS and OpenVAS (vulnerability scanner). If you are wanting information on NIDS, see the NIDS sticky

    Most Windows users are familiar with HIDS. Examples include virus and spyware scanners. HIDS monitor system files and detect unauthorized changes and known threats / malware.

    Many Linux users may feel these tools are of limited utility because:

    1. These tools are notorious for quirks, hiccups, and the sky is falling. As with the boy who cried wolf, excessive warnings and false positives tend to get ignored.

    2. These tools detect only known vulnerabilities and thus do not protect against "zero day exploits". Known vulnerabilities are generally patched rapidly in Linux. Thus many people are of the opinion keeping their systems up to date is sufficient and these tools are superfluous.

    3. The majority of these tools are command line tools with limited, if any, graphical interface (web interfaces are more common). Some people tend to shy away from tools lacking a graphical interface.

    4. Although every OS has potential security holes, many users find Ubuntu is "secure enough" such that additional measures are not warranted . For an overview of this mentality, see this discussion .


    This post is for those who are interested in "learning the ropes" and will review HIDS tools. IMO it is best to try these tools out before you suspect your system is compromised.

    Security is an advanced topic on any OS, requires knowledge of how the OS works, and comes with a steep learning curve (yes, you are expected to read). If you find these tools overwhelming, I suggest you start with the Security Sticky and come back to these tools when you are more comfortable with Linux, the command line, and/or have the time to work through the use of these tools.


    Contents :

    First steps
    OSSEC
    OpenVAS
    Alternatives to OSSEC / OpenVAS
    Tiger
    chkrootkit
    rkhunter
    clamav


    Etiquette: If you are going to run these HIDS/Vulnerability tools, please read the documentation (FAQ / README ) and perform a Google search on the results of alerts or warnings before posting on the Ubuntu forums. These tools have esoteric tendencies and support may be limited on the Ubuntu forums. Please see the various home pages / wiki and/or use the application specific forums / mailing lists for support.

    Discussion Thread - The discussion thread is for comments / feedback. Please do not use the discussion tread for support questions, start a support thread in the security forums.
    Last edited by bodhi.zazen; May 9th, 2010 at 07:25 AM.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •