Application and Host IDS Tools

Many of you probably have some sort of intrusion detection system (IDS) in use on your network. Most tools of this sort operate either at the network border to monitor incoming traffic or on the internal network to monitor internal traffic.

Recently I learned about two IDS tools that are a little bit different from a typical IDS. One runs inside an application, and the other is a host IDS that runs on servers or workstations.

The first tool is called Firekeeper. It's an extension for Firefox that works similarly to Snort in that it uses a configurable set of rules to detect suspicious activity. Firekeeper is a relatively new tool and doesn't have the huge set of rules available that Snort does. Nevertheless, the base set of rules is a good starting point, and you can write your own rules with relative ease, especially if you're familiar with Snort.

Because Firekeeper runs inside Firefox, naturally it's meant to detect intrusion attempts that would originate from Web content. The base set of rules detects suspicious JavaScript activity; abnormal behavior of Real Networks' RealPlayer, Microsoft Windows Media Player, and Nullsoft's Winamp controls; attempts to access email clients via file extension types; and more. Another benefit is that Firekeeper can inspect Secure Sockets Layer (SSL) traffic after it's decrypted by the browser, which a border IDS system might not be able to do.

Overall, Firekeeper is a pretty good idea. If I understand correctly, the project was started by Jan Wrobel as part of Google's Summer of Code 2006. Since that time, it's come along nicely. You can check it out at the Web site (click the link below), where a link to a mailing list is also available.

The second tool I learned about is OSSEC Host IDS (HIDS). OSSEC HIDS has two basic parts: the central server and the host monitors. The main server collects information from the host monitors, and the host monitors perform a variety of tasks. They can detect known rootkits and maintain file system integrity by keeping tabs on important system files.

Another useful aspect is that OSSEC HIDS can monitor a variety of different logs, such as those generated by Apache, Squid, Snort, nmap, Windows, Microsoft IIS, Cisco VPN concentrators, and Cisco PIX firewalls. As you might expect, it can also deliver alerts to administrators via email messages or log entries, and it can actively respond to detected events based on your configuration settings.

I installed OSSEC HIDS on a few systems and found that it's very easy to configure. Setting up the main server took about 20 minutes including reading the manual as I went along. Setting up the tool on the hosts was easier, but it did take a bit longer because the host settings vary depending on what's being monitored on the hosts.

OSSEC HIDS is an open source tool and has been tested on OpenBSD, FreeBSD, Mac OS X, Slackware Linux, Debian GNU/Linux, SUSE Linux, Ubuntu, Red Hat Enterprise Linux, Fedora Core, Solaris, and AIX, as well as Windows XP and Windows 2000. You can check it out at the OSSEC Web site, where you'll find the manual along with other resources such as a wiki and an associated mailing list.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.