Host Intrusion Detection like a Boss
2 likes645 views
The document presents a presentation by André Lima on the Samhain software, covering its features like file integrity checking, log file monitoring, and rootkit detection. It discusses stealth mode functionalities that enhance security by obfuscating configuration and monitoring settings. The agenda includes installation details, a demo, precautions, and suggestions for effective monitoring practices.
Host Intrusion Detection like a Boss
- 1. C:> telnet Host.Intrusion.Detection...like.a.boss HELO Confraria de Segurança de Informação PRESENTATION FROM: André Lima RCPT TO: Confraria@Forum.Picoas WHEN 26 Nov 2014 DATA Boa noite a todos! . QUIT by André Lima, Associate CISSP / ISO27001 / CCNA Security @0x4ndr3 al@integrity.pt https://www.linkedin.com/in/aflima
- 2. $whois andrelima • Consultant at Integrity S.A. • Associate Certified Information Systems Security Professional (CISSP) • ISO 27001 LA • CCNA Security • CCNP Route • Engenharia Informática @ ISEL 0x4ndr3 al@integrity.pt https://www.linkedin.com/in/aflima
- 3. $cat agenda.txt • Context • Intro to Samhain • Stealth – how it works • Stealth – installation details • Demo • Precautions • Conclusions • References • Questions
- 4. $patch -p1 < ../backdoor.c • Writing files – Patching – Adding backdoor user – Crontab – Altering logs – Rootkits – Backdoor service – Trojaned binaries ... Limits? your imagination!
- 5. But also... • Multi-admins environment
- 6. $samhain -h • Open-source multiplatform application for POSIX systems (Unix, Linux, Cygwin/Windows) • Supports client-server model: configuration + database files • Provides file integrity checking and log file monitoring/analysis, as well as rootkit detection, port monitoring, and detection of rogue SUID executables, etc http://www.la-samhna.de/samhain/
- 7. • File signatures $samhain -h – Inode + timestamps + owner and group permissions + number of hardlinks + etc • File system SUID/GUID Binaries • Detecting kernel rootkits • Checking for open ports • Log file validation • User ID (Linux Audit Daemon) • ... • Stealth mode!
- 8. $samhain –h | grep ‘Stealth Mode’ • What does it mean? – obfuscating strings on binaries + logfile + database (XML DB) – configuration can be steganographically hidden in a postscript image file – renaming the HIDS binary (and auxiliary applications) – Not enabled by default but advised: delete man pages folder!
- 9. $samhain –h | grep ‘Stealth Mode’
- 10. $samhain –h | grep “Stealth Mode”
- 11. $samhain –h | grep “Stealth Mode”
- 12. env X='() { :; }; echo "VULNERABLE DEMO"' bash -c id
- 14. echo $Precautions Document the stealth name!
- 15. echo $Precautions $ history -c
- 19. echo $Conclusions • Be organized – Know your assets • What users are supposed to be on a specific server • What ports must be on • What files (config / executables) must not be altered – Document your stealth configurations • Be very specific about what you’re monitoring (minimize false positives)
- 20. echo $references • Samhain documentation – http://www.la-samhna.de/samhain/s_documentation.html
- 21. $read Questions