In this lesson, I will talk about Host Intrusion Detection Systems and Host Intrusion Prevention Systems. Host Intrusion Detection Systems should be used to monitor your overall system architecture. The reason that we're going to do this is because we can't look at the entire network all the time. And the entire network does not show us everything that is going on. For example, if somebody logs in to a computer and tries to use a local password five different times and gets locked out of the computer. Well, that is something that the network intrusion prevention system is not going to tell us. That is only going to be a function of a Host Intrusion Detection or a Host Intrusion Prevention system. So, Host Intrusion Detection or HIDs monitors hosts. So we have a problem if we're just, if we start jumping from system to system. Network Intrusion Prevention Systems are great at what they do, but they can't look internally. Host Intrusion Detection systems serve several different purposes. They monitor files or directories, they monitor system activity, they monitor system logs and also report on patterns that they may see as malicious. Now, not all software is going to do that, so let's talk about two of these specifically. The first one is going to be AIDE. AIDE stands for Advanced Intrusion Detection Engine which is used for integrity checking. It's only used for integrity checking, so when a help desk or when a lab is built, and we have what we called a Gold Image, it means the standard image that we're going to deploy out. What it'll do is make a hash database of all the files and all the processes on that system. In order to see if any of the main system files have been compromised, we may run manually AIDE and check the gold image versus the image that's running. The problem with that is that's a very manual process, it's not a scheduled tasks. I guess you can make it a scheduled task but it would be more trouble than it's worth because there's other tools out there such as OSSEC. OSSEC stands stands for Open-Source Intrusion Detection System. Actually it doesn't stand for that. The second one is OSSEC. OSSEC is used for many different systems and not just Linux with AIDE is designed for. OSSEC can be put on Windows, it could be put on MAC and it could be put on Linux. It's a very powerful Host Intrusion Detection System runs on Linux but like I said you can use it on other systems and that's what we do here at the university. Logs from OSSEC are hashed so they cannot be tampered with. This is important because attackers generally modify log files to make sure that they cover their tracks. OSSEC has four basic components. File Integrity Checking, AIDE only runs on a manual basis, OSSEC does it every few hours. Log Monitoring, OSSEC can report the logs to a central server, which we'll look at here in a second. A Rootkit Detection, OSSEC agents check for rootkits on a system every two hours. That's something that AIDE cannot do. And then Active Response, so responses are configurable. Let's say that you logged in with or tried to login with local password five different times, it could lock you out even though you may not have a policy on your windows domain to do that. There are some advantages and some disadvantages of using Host Intrusion Detection. The first one is going to be, Host Intrusion Detection is a simple way of ensuring integrity remains in tact and it's going to look at the system as a whole, a system entirely. It's relatively easy administration and it meets compliance standards for some industries, such as payment card industry systems. We use this extensively in our PCI network here at the University. Some disadvantages of using Host Intrusion Detection. Well, installation and setup can be very cumbersome in the beginning, but once it's done it just runs. Files are changed frequently, so you get a huge amount of alerts. Let's say that System32 in Windows is changed, because of an update that Microsoft puts out. That will alert OSSEC that something is happening. Now, you can configure OSSEC and some of the other ones like Tripwire, it's another, but that's a commercial version HIDS piece of software. But you can configure them to only look at certain directories if you want to. But it is very chatty, so I get probably, we may only have OSSEC on 30 different systems. However I get several hundred emails a day from the system about what's going on with the overall PCI network, which is a good thing if we're looking at security. Let's go to Splunk here, and let's look at, Let's look at OSSEC. So I just happened to type in OSSEC NOT host=potemkin because that's one of our other servers that has OSSEC on it. And I'm looking for anything that has the word password in it. So what it's doing is it's going through, let's pick on one here, okay? Let's pick on this one right here. So on July 21st, which was two days ago on Friday, says Alert Level 2: Rule: 1002 fired Unknown problem somewhere in the system, okay? Looks at var/log/secure, and it said, looks like there was a pam module error, wrong password, which is a good thing to understand, okay? Here's another one. This is one of our older systems for our book store, and it's actually being decommissioned. So there was an alert level five, the higher the rule level the worst of the damage could be. Here's the rule number and it says Windows error event, location, no domain, user password change required. So it's going to give you a lot more information from the system than just looking at certain logs. In conclusion, Host Intrusion Detection Systems should be used to ensure that your hosts are in good security status. OSSEC is a great piece of software because it is open source and it's easy to manage.
