Intrusion Detection Systems

I'm seriously considering deploying an IDS to my servers but I was wondering what the consensus was for the best option. The only one I really know about is Snort.

Has anyone had much experience with IDS software and if so which package or packages would you recommend? Ideally I'd like something that didn't put too much strain on the server itself but obviously if it is a choice between having a safer system and slightly lower performance I'll go with the lower performance.

18 Replies

IDS is a COMPLETE waste of time.

It's like expecting a windscreen to collect space aliens, you'll spend all your time looking at smashed bugs and rarely if ever find an actual space alien (more likely, you'll just stop looking - after all one smashed bug looks pretty much like the other 57 bazallion that will show up).

Lurk thru a few of the Firewall App forums (Ipcop, PFsense, RouterOS, etc) and see what a major hoot-fest treatment IDS posts get.

Way better to setup a good edge firewall, watch it's logs, and setup good log filters on your APPS and see what shows up.

@Cromulent:

I'm seriously considering deploying an IDS to my servers but I was wondering what the consensus was for the best option. The only one I really know about is Snort.

Has anyone had much experience with IDS software and if so which package or packages would you recommend? Ideally I'd like something that didn't put too much strain on the server itself but obviously if it is a choice between having a safer system and slightly lower performance I'll go with the lower performance.

Snort is well respected, but where are you going to use this? On a private network where you can say with confidence what is and is not valid and expected traffic you might get some benefit out of an IDS. If you feed it Internet traffic you will pick up constant Internet background attacks.

If you want to check your Linode hasn't been cracked you might want a filesystem based IDS like tripwire instead.

@zunzun:

my code is so crappy and poorly written that nobody can figure out how to infect it
Ah, the bury the valuables in the septic field method - stinky but effective.

My firewalls are pretty secure (at least I think so). The HTTP servers have all ports blocked except for 443 and 80 and a random port for SSH. SSH passwords are disabled. SSH keys are 8192 bits and root login in via SSH is disabled. SSH connections are only allowed from my home static IP address. All other IP addresses are blocked.

The app servers and database servers have all ports blocked except for the relevant ports and they only allow connections from the HTTP servers (in the case of app servers) or from the app servers (in the case of the database servers). SSH servers on these machines are secured in the same way as mentioned above.

So anything I am missing here?

@Cromulent:

I'm seriously considering deploying an IDS to my servers but I was wondering what the consensus was for the best option. The only one I really know about is Snort.

Has anyone had much experience with IDS software and if so which package or packages would you recommend? Ideally I'd like something that didn't put too much strain on the server itself but obviously if it is a choice between having a safer system and slightly lower performance I'll go with the lower performance.

I'm admittedly partial, but give OSSEC a try.

@vonskippy:

IDS is a COMPLETE waste of time.

It's like expecting a windscreen to collect space aliens, you'll spend all your time looking at smashed bugs and rarely if ever find an actual space alien (more likely, you'll just stop looking - after all one smashed bug looks pretty much like the other 57 bazallion that will show up).

Do you mean that the IDSes you have used have been too buggy to be useful? OSSEC is used on tens of thousands of systems daily and while there certainly are bugs, it's pretty stable. I personally know of environments running thousands of agents all reporting to one manager. And it does work.

@vonskippy:

Lurk thru a few of the Firewall App forums (Ipcop, PFsense, RouterOS, etc) and see what a major hoot-fest treatment IDS posts get.

Way better to setup a good edge firewall, watch it's logs, and setup good log filters on your APPS and see what shows up.

Firewall logs will not tell you about new users, changed files, rootkits, changed local ports, brute-force attempts against applications and a host of other things. Good luck watching firewall logs in real time. Can you read that fast? Or, you know, you could have OSSEC, which is capable of readings thousands of logs per second, watch for multiple dropped connections from the same IP and have it automatically shun the IP for 10 minutes. Or an hour. Or ten minutes the first time it sees the IP and an hour the next time. It's up to you.

@redrs:

> IDS is a COMPLETE waste of time. b

A bad IDS is a waste of time. Likewise so can purely signature based systems.

I rate OSSEC (a host-based intrusion detection system (HIDS)) very highly. Can't imagine Linux system admin without it.

Key features for me are:

  • File integrity checking

  • Log file monitoring and analysis (including detections of abnormalities)

  • Email alerts

  • Scriptable active responses.

agreed.

> IDS is a COMPLETE waste of time. b

A bad IDS is a waste of time. Likewise so can purely signature based systems.

I rate OSSEC (a host-based intrusion detection system (HIDS)) very highly. Can't imagine Linux system admin without it.

Key features for me are:

  • File integrity checking

  • Log file monitoring and analysis (including detections of abnormalities)

  • Email alerts

  • Scriptable active responses.

Be sure to check out the new beta of 2.7.1 and let us know of any bugs.

@vonskippy:

IDS is a COMPLETE waste of time.

It's like expecting a windscreen to collect space aliens, you'll spend all your time looking at smashed bugs and rarely if ever find an actual space alien (more likely, you'll just stop looking - after all one smashed bug looks pretty much like the other 57 bazallion that will show up).

Lurk thru a few of the Firewall App forums (Ipcop, PFsense, RouterOS, etc) and see what a major hoot-fest treatment IDS posts get.

Way better to setup a good edge firewall, watch it's logs, and setup good log filters on your APPS and see what shows up.

I assume you mean web apps, like Wordpress and MediaWiki?

@vonskippy:

@zunzun:

my code is so crappy and poorly written that nobody can figure out how to infect it
Ah, the bury the valuables in the septic field method - stinky but effective.

That's true, though crappy code could also contain vulnerabilities. Like if some noob doesn't include mysqlrealescapestring(). "My name is DROP_TABLE."

EDIT:

Not that the command would actually have been functional, but after I submitted it I hoped the forum didn't have that vulnerability.

@Inquisitor Sasha:

That's true, though crappy code could also contain vulnerabilities. Like if some noob doesn't include mysqlrealescapestring(). "My name is DROP_TABLE."

PDO prepared statements are better, you can't forget that way.

@zunzun:

@Inquisitor Sasha:

…crappy code could also contain vulnerabilities.

I did not expect this reply - but then, of course, "No one expects the Sasha Inquisition!"

James

It's one of the reasons I'm sometimes afraid of my own code. That's also a line I sometimes see. Too much of the Inquisition in 40k. Heresy, heresy everywhere. Misunderstanding of what heresy is, misunderstanding of what heresy is everywhere.

mstarks01: I usually use the Beta installs ;)

I've been very pleased with OSSEC. It has a single pain point on my frequently updated Gentoo servers but I can live with it and have been happy with everything else in OSSEC.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct