SlideShare a Scribd company logo
OPEN SOURCE INTRUSION
DETECTION TOOLS:
A Beginner’s Guide www.alienvault.com
If you aren’t already running network IDS, you should be. There are two types of Network IDS:
Signature Detection & Anomaly Detection
In a signature-based IDS, there are rules or patterns of known malicious traffic that it is looking for.
Once a match to a signature is found it generates an alert. These alerts can turn up issues such as malware,
scanning activity, attacks against servers and much more.
With anomaly-based IDS, the payload of the traffic is far less important than the
activity that generated it. An anomaly-based IDS tool relies on baselines rather than signatures.
It will look for unusual activity that deviates from statistical averages of previous activities or
activity that has been previously unseen. Perhaps a server is sending out more HTTP activity
than usual or a new host has been seen inside your DMZ.
Both are typically deployed in the same manner, though one could make the
case you could easily (and people have) create an anomaly-based IDS on externally-
collected netflow data or similar traffic information.
Looking for attacks isn’t the only use case for IDS, you can also use it to
find violations of network policy. IDS will tell you an employee was using Gtalk,
uploading to Box, or spending all their time watching Hulu instead of working.
Whether you need to monitor hosts or the networks connecting them to
identify the latest threats, there are some great open source intrusion detection
(IDS) tools available to you.
Open Source IDS Basics
Ah, the venerable piggy that loves packets. I’m sure everyone remembers 1998 as the
year a version of Windows came out but it was also the year that Martin Roesch first
released Snort. Though then it really wasn’t a true IDS, its destiny had been written.
Since then it has become the de-facto standard for IDS and eventually IPS (thanks
to community effort!). It’s important to note that Snort has no real GUI or easy to use
administrative console. Lots of other open source tools have been created to help out,
notably Snorby and others like Base and Squil. Some of the advantages of Snort:
You can find Snort inside AlienVault Unified Security ManagementTM
(USM), not just used
as a tool but fully integrated from signature updates to packet match display.
Snort
•	Long product life with no signs of going away
•	Great community support
•	Plenty of administrative front-ends
•	Thoroughly proven and tested
What’s the only reason for not running the open source IDS Snort? If you’re using Suricata instead.
Though Suricata’s architecture is different than Snort, it behaves the same way as Snort and can use the
same signatures. What’s great about Suricata is what else it’s capable of over Snort. Let’s run down a few
examples:
With so many features and capabilities it’s no wonder it’s the default network IDS inside AlienVault USM now.
Suricata
•	 Multi-Threaded - Snort runs with a single thread meaning it can only use one CPU(core) at a time. Suricata
can run many threads so it can take advantage of all the CPU/cores you have available. There has been much
contention on whether this is advantageous, Snort says No and a few benchmarks say Yes.
•	 Built in Hardware Acceleration - Did you know you can use graphic cards to inspect network traffic?
•	 File Extraction - Someone downloading malware? You can capture it right from Suricata and study it.
•	 LuaJIT - It’s a lot of letters yes, but it’s also a scripting engine that can be used with information from the
packets inspected by Suricata. This makes complex matching even easier and you can even gain efficiency by
combining multiple rules into one script.
•	 Logging more than packets - Suricata can grab and log things like TLS/SSL certs, HTTP requests, DNS requests
•	 So much more...
The open source IDS tool Bro, or sometimes referred to as Bro-IDS is a bit different than Snort and Suricata.
In a way, Bro is both a signature and anomaly-based IDS. Its analysis engine will convert traffic captured into
a series of events. An event could be a user logon to FTP, a connection to a website or practically anything.
The power of the system is what comes after the event engine and that’s the Policy Script Interpreter. This
policy engine has it’s own language ( Bro-Script ) and it can do some very powerful and versatile tasks.
If you’re an analyst and you’ve wondered “How can I automate some of my work?” then this is the tool
you’ve been looking for. Want to download files seen on the wire, submit them for malware analysis, notify
you if a problem is found then blacklist the source and shutdown the user’s computer who downloaded it?
Want to track the usage patterns of a user after they’ve contacted an IP from a reputation database?
If you’re not an analyst than this tool will have a challenging learning curve. Since it was developed
as a research tool it didn’t initially focus on things like GUIs, usability, and ease of installation. While it
does many cool things out of the box many of those things aren’t immediately actionable and may
be difficult to interpret. Summary:
Bro
•	 Complicated to set up
•	 Can detect patterns of activity other IDS systems can not
•	 Very extensible architecture
•	 Starting to gain a larger community following
Just as Snort became the standard for network intrusion, Kismet is the baseline for
wireless IDS. Wireless IDS deals less with the packet payload but more with strange
things happening inside the wireless protocols (mostly 802.11) and functions. WIDS will
find unauthorized Access Points (Rogue AP Detection), perhaps one created by an
employee accidentally (yes, I’ve seen that) that opens a network up. Perhaps someone
has stood up an AP with the same name as your corporate network to perform MITM
attacks? Kismet will find all of these. Kismet runs on a variety of platforms, even Android.
Besides IDS, Kismet can also be used for more utilitarian things like wireless site surveys
or fun activities like WarDriving.
Kismet
Host-based IDS systems, or HIDS, work by monitoring activity that is
occurring internally on a host.
HIDS look for unusual or nefarious activity by examining logs created by the
operating system, looking for changes made to key system files, tracking installed
software, and sometimes examining the network connections a host makes.
The first HIDS systems were rather rudimentary, usually just creating md5 hashes
of files on a recurring basis and looking for discrepancies (File Integrity Monitoring).
Since then HIDS have grown far more complex and perform a variety of useful
security functions. Also, if you need to become compliant to one of the many
standards (PCI, ISO, etc..) then HIDS is compulsory.
Host IDS
In the realm of full featured Open Source HIDS tools, there is OSSEC and not much else. Go ahead and google away, I’ll
wait. The great news is OSSEC is very good at what it does and it is rather extensible. OSSEC will run on almost any major
operating system and uses a Client/Server based architecture which is very important in a HIDS system. Since a HIDS
could be potentially compromised at the same time the OS is, it’s very important that security and forensic information
leave the host and be stored elsewhere as soon as possible to avoid any kind of tampering or obfuscation that would
prevent detection.
OSSEC’s architecture design incorporates this strategy by delivering alerts and logs to a centralized server where analysis
and notification can occur even if the host system is taken offline or compromised. Another advantage of this architecture
is the ability to centrally manage agents from a single server. Since deployments can range from one to thousands of
installations, the ability to make changes en masse via a central server is critical for an administrator’s sanity.
When discussing OSSEC and other HIDS, there is often trepidation in installing an agent or software on to critical servers. It
should be noted that the installation of OSSEC is extremely light, the installer is under 1MB, and that the majority of analysis
actually occurs on the server which means very little CPU is consumed by OSSEC on the host. OSSEC also has the ability
to send OS logs to the server for analysis and storage, which is particularly helpful on Windows machines that have no
native and cross-platform logging mechanisms. Summary:
AlienVault USM features a complete integration of OSSEC. Whether you need to install agents on servers, modify policies,
or even instigate OSSEC’s active response features, it can all be done within USM. Logs from OSSEC clients are also pre-
integrated into USM’s SIEM and Correlation engines.
OSSEC
•	 Agents for almost every OS
•	 Compiled Agent for Windows
•	 Lots of functionality other than just FIM
•	 Rigid but simple installation process
In comparison to OSSEC, Samhain is the best competition. But it’s very much the case
of same but different when making the comparison. Samhain has the same client/server
architecture but it’s not beholden to it like OSSEC is. The agent itself has a variety of
output methods, one being a central server but others like Syslog, Email, and RDBMS
which are greatly appreciated.
Another important difference is where the analysis occurs. Unlike OSSEC the processing
occurs on the client itself. While this does give an advantage in terms of processing speed it
could have potential impact on your servers. However, it does put those CPU cycles to good
use as it has a much stronger emphasis on FIM.
Summary:
Samhain Labs
•	 Harder to install
•	 Windows clients require Cygwin
•	 Great FIM functionality
•	 More flexible client
OpenDLP isn’t really a HIDS system but it’s functionality makes it worth a
mention here. This tool has one goal and that’s DLP or Data Loss Prevention.
It will scan data while it’s “at-rest” looking for pieces of data like credit cards
or SSNs and can be extended with regular expressions to find data that is
sensitive to your organization. OpenDLP will look for this data on file systems
or even inside databases on both Windows and Linux. It can also perform
these scans via an installable agent or without any software installation.
Open DLP
•	 Not a FIM or HIDS technically, but interesting
•	 Very Windows friendly
•	 Looks for DLP only
FIM ONLY
There are quite a few FIM tools that get categorized with HIDS. Some are actively
developed and others haven’t been updated in years. Since these tools only
perform one function I won’t elaborate much more. A few of these are AIDE, OS
Tripwire and AFick.
SECURITY ONION
If you’re interested in trying out some or all of the open source IDS tools from
this post you could save some time and check out Security Onion. It’s a distribution
of Ubuntu with everything pre-installed.
Rounding out your toolset
AlienVault USM
BRINGS IT ALL TOGETHER
ASSET DISCOVERY
Active Network Scanning
Passive Network Scanning
Asset Inventory
Host-based Software Inventory
SECURITY
INTELLIGENCE
SIEM Event Correlation
Incident Response
THREAT DETECTION
Network, Host & Wireless IDS
File Integrity Monitoring
VULNERABILITY
ASSESSMENT
Continuous Vulnerability Monitoring
Authenticated / Unauthenticated
Active Scanning
BEHAVIORAL
MONITORING
Log Collection
Netflow Analysis
Service Availability Monitoring
powered by
AV Labs Threat
Intelligence
Next Steps: Play, share, enjoy!
www.alienvault.com
•	 Learn more about the IDS capabilities of AlienVault USM
•	 Watch our 3-minute overview video
•	 Play in our product sandbox
•	 Start detecting threats today with a free 30-day trial
•	 Join the Open Threat Exchange
Joe Schreiber, Director of Solutions Architecture at AlienVault
Joe has been working in hands-on roles in IT security since the days of dial-up. In fact, he has deployed and
managed virtually every commercial and open source IDS tool out there. His ardor for packets landed him
a job analyzing network traffic for Fortune 50 companies with AT&T Managed Security Services. In this role,
Joe built one of the world’s largest SIEM systems, bringing thousands of devices under real-time security
management and monitoring more than 2 petabytes of network traffic daily.
About the Author

More Related Content

PPT
Ethical Hacking
PPTX
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
PPTX
Creating Correlation Rules in AlienVault
PDF
SOC Architecture - Building the NextGen SOC
PPTX
SIEM Primer:
PPTX
SDL: Secure design principles
PPTX
Internet of Things Security
PPT
hacking
Ethical Hacking
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
Creating Correlation Rules in AlienVault
SOC Architecture - Building the NextGen SOC
SIEM Primer:
SDL: Secure design principles
Internet of Things Security
hacking

What's hot (20)

PPT
Threat analysis-perception
PPTX
Latest Top 10 Types of Cyber Security Threats
PDF
Password (in)security
PDF
Iot & cloud
PPT
Security Vulnerabilities
PPTX
Phishing attack seminar presentation
PDF
IOT Security
PPTX
Ethical hacking presentation
PPT
Trojan Horse Virus
PPTX
An introduction to SOC (Security Operation Center)
PPT
Ch03 Network and Computer Attacks
PPTX
Application security [appsec]
PPTX
PDF
Guide de cybersécurité
PPT
Web security
PDF
XebiCon'17 : Blockchain & IoT, le nouveau contrat de confiance ? - Sameh Ben ...
PPTX
Six Steps to SIEM Success
PDF
[Round table] zeroing in on zero trust architecture
PPTX
Week 7 - Legal Issues in Blockchain and Cryptocurrencies
PPTX
INITIATION A LA SÉCURITÉ INFORMATIQUE.pptx
Threat analysis-perception
Latest Top 10 Types of Cyber Security Threats
Password (in)security
Iot & cloud
Security Vulnerabilities
Phishing attack seminar presentation
IOT Security
Ethical hacking presentation
Trojan Horse Virus
An introduction to SOC (Security Operation Center)
Ch03 Network and Computer Attacks
Application security [appsec]
Guide de cybersécurité
Web security
XebiCon'17 : Blockchain & IoT, le nouveau contrat de confiance ? - Sameh Ben ...
Six Steps to SIEM Success
[Round table] zeroing in on zero trust architecture
Week 7 - Legal Issues in Blockchain and Cryptocurrencies
INITIATION A LA SÉCURITÉ INFORMATIQUE.pptx
Ad

Viewers also liked (20)

PPTX
Alienvault threat alerts in spiceworks
PDF
Suricata
PPTX
Improve threat detection with hids and alien vault usm
PPTX
Improve Security Visibility with AlienVault USM Correlation Directives
PPTX
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
PDF
PCI DSS Implementation: A Five Step Guide
PPTX
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
PDF
Security operations center 5 security controls
PDF
Insider Threat Detection Recommendations
PDF
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
PPTX
How Malware Works
PDF
The Next Generation Open IDS Engine Suricata and Emerging Threats
PDF
Security Onion - Part 1
PDF
Workshop ssh (OSSEC)
PDF
Blackhat Workshop
PPTX
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
PPTX
The Evolution of IDS: Why Context is Key
PPT
Best Practices for Leveraging Security Threat Intelligence
PPTX
AWS Security Best Practices for Effective Threat Detection & Response
PPTX
How to Leverage Log Data for Effective Threat Detection
Alienvault threat alerts in spiceworks
Suricata
Improve threat detection with hids and alien vault usm
Improve Security Visibility with AlienVault USM Correlation Directives
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
PCI DSS Implementation: A Five Step Guide
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
Security operations center 5 security controls
Insider Threat Detection Recommendations
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
How Malware Works
The Next Generation Open IDS Engine Suricata and Emerging Threats
Security Onion - Part 1
Workshop ssh (OSSEC)
Blackhat Workshop
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
The Evolution of IDS: Why Context is Key
Best Practices for Leveraging Security Threat Intelligence
AWS Security Best Practices for Effective Threat Detection & Response
How to Leverage Log Data for Effective Threat Detection
Ad

Similar to Open Source IDS Tools: A Beginner's Guide (20)

DOCX
Ips and-ids
PDF
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
PDF
20 Trip-Wire-.pdf
PDF
20 Trip-Wire-.pdf
PPTX
Security Threats and Vulnerabilities-2.pptx
PPTX
Enterprise Security Monitoring, And Log Management.
PPTX
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
PDF
Network Based Intrusion Detection and Prevention Systems: Attack Classificati...
PDF
ubantu mod security
DOCX
Five IDS mistakes people make
PDF
AWS Security Challenges
DOCX
Network security
PPTX
security onion
PPTX
Intrusion detection system
DOCX
Describe firewalls
PDF
ethical-hacking-guide
PDF
Serverless security - how to protect what you don't see?
PDF
Aws security with HIDS using Ossec
PDF
Aws security with HIDS, OSSEC
PPTX
Future Prediction: Network Intrusion Detection System in the cloud
Ips and-ids
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
20 Trip-Wire-.pdf
20 Trip-Wire-.pdf
Security Threats and Vulnerabilities-2.pptx
Enterprise Security Monitoring, And Log Management.
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Network Based Intrusion Detection and Prevention Systems: Attack Classificati...
ubantu mod security
Five IDS mistakes people make
AWS Security Challenges
Network security
security onion
Intrusion detection system
Describe firewalls
ethical-hacking-guide
Serverless security - how to protect what you don't see?
Aws security with HIDS using Ossec
Aws security with HIDS, OSSEC
Future Prediction: Network Intrusion Detection System in the cloud

More from AlienVault (19)

PPTX
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
PDF
Malware Invaders - Is Your OS at Risk?
PPTX
How to Solve Your Top IT Security Reporting Challenges with AlienVault
PPTX
Simplify PCI DSS Compliance with AlienVault USM
PPTX
Malware detection how to spot infections early with alien vault usm
PDF
The State of Incident Response - INFOGRAPHIC
PPTX
Incident response live demo slides final
PPTX
Improve Situational Awareness for Federal Government with AlienVault USM
PPTX
Improve Threat Detection with OSSEC and AlienVault USM
PPTX
Best Practices for Configuring Your OSSIM Installation
PPTX
IDS for Security Analysts: How to Get Actionable Insights from your IDS
PPTX
Insider Threats: How to Spot Trouble Quickly with AlienVault USM
PDF
Alien vault sans cyber threat intelligence
PPTX
Security by Collaboration: Rethinking Red Teams versus Blue Teams
PPTX
Prepare to Be Breached: How to Adapt your Security Controls to the “New Normal”
PPTX
How to Detect System Compromise & Data Exfiltration with AlienVault USM
PPTX
Spice world 2014 hacker smackdown
PPTX
Demo how to detect ransomware with alien vault usm_gg
PPTX
Planning your 2015 Threat Detection Strategy with a Broken Crystal Ball
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Malware Invaders - Is Your OS at Risk?
How to Solve Your Top IT Security Reporting Challenges with AlienVault
Simplify PCI DSS Compliance with AlienVault USM
Malware detection how to spot infections early with alien vault usm
The State of Incident Response - INFOGRAPHIC
Incident response live demo slides final
Improve Situational Awareness for Federal Government with AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USM
Best Practices for Configuring Your OSSIM Installation
IDS for Security Analysts: How to Get Actionable Insights from your IDS
Insider Threats: How to Spot Trouble Quickly with AlienVault USM
Alien vault sans cyber threat intelligence
Security by Collaboration: Rethinking Red Teams versus Blue Teams
Prepare to Be Breached: How to Adapt your Security Controls to the “New Normal”
How to Detect System Compromise & Data Exfiltration with AlienVault USM
Spice world 2014 hacker smackdown
Demo how to detect ransomware with alien vault usm_gg
Planning your 2015 Threat Detection Strategy with a Broken Crystal Ball

Recently uploaded (20)

PPTX
20250228 LYD VKU AI Blended-Learning.pptx
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
PDF
Chapter 3 Spatial Domain Image Processing.pdf
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
PDF
Machine learning based COVID-19 study performance prediction
PDF
Approach and Philosophy of On baking technology
PPTX
Understanding_Digital_Forensics_Presentation.pptx
PDF
Network Security Unit 5.pdf for BCA BBA.
PPTX
Cloud computing and distributed systems.
PDF
Spectral efficient network and resource selection model in 5G networks
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
PDF
Unlocking AI with Model Context Protocol (MCP)
PPT
Teaching material agriculture food technology
PDF
GDG Cloud Iasi [PUBLIC] Florian Blaga - Unveiling the Evolution of Cybersecur...
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
PDF
[발표본] 너의 과제는 클라우드에 있어_KTDS_김동현_20250524.pdf
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
20250228 LYD VKU AI Blended-Learning.pptx
The Rise and Fall of 3GPP – Time for a Sabbatical?
Chapter 3 Spatial Domain Image Processing.pdf
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
Machine learning based COVID-19 study performance prediction
Approach and Philosophy of On baking technology
Understanding_Digital_Forensics_Presentation.pptx
Network Security Unit 5.pdf for BCA BBA.
Cloud computing and distributed systems.
Spectral efficient network and resource selection model in 5G networks
“AI and Expert System Decision Support & Business Intelligence Systems”
Unlocking AI with Model Context Protocol (MCP)
Teaching material agriculture food technology
GDG Cloud Iasi [PUBLIC] Florian Blaga - Unveiling the Evolution of Cybersecur...
Dropbox Q2 2025 Financial Results & Investor Presentation
Reach Out and Touch Someone: Haptics and Empathic Computing
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
[발표본] 너의 과제는 클라우드에 있어_KTDS_김동현_20250524.pdf
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx

Open Source IDS Tools: A Beginner's Guide

  • 1. OPEN SOURCE INTRUSION DETECTION TOOLS: A Beginner’s Guide www.alienvault.com
  • 2. If you aren’t already running network IDS, you should be. There are two types of Network IDS: Signature Detection & Anomaly Detection In a signature-based IDS, there are rules or patterns of known malicious traffic that it is looking for. Once a match to a signature is found it generates an alert. These alerts can turn up issues such as malware, scanning activity, attacks against servers and much more. With anomaly-based IDS, the payload of the traffic is far less important than the activity that generated it. An anomaly-based IDS tool relies on baselines rather than signatures. It will look for unusual activity that deviates from statistical averages of previous activities or activity that has been previously unseen. Perhaps a server is sending out more HTTP activity than usual or a new host has been seen inside your DMZ. Both are typically deployed in the same manner, though one could make the case you could easily (and people have) create an anomaly-based IDS on externally- collected netflow data or similar traffic information. Looking for attacks isn’t the only use case for IDS, you can also use it to find violations of network policy. IDS will tell you an employee was using Gtalk, uploading to Box, or spending all their time watching Hulu instead of working. Whether you need to monitor hosts or the networks connecting them to identify the latest threats, there are some great open source intrusion detection (IDS) tools available to you. Open Source IDS Basics
  • 3. Ah, the venerable piggy that loves packets. I’m sure everyone remembers 1998 as the year a version of Windows came out but it was also the year that Martin Roesch first released Snort. Though then it really wasn’t a true IDS, its destiny had been written. Since then it has become the de-facto standard for IDS and eventually IPS (thanks to community effort!). It’s important to note that Snort has no real GUI or easy to use administrative console. Lots of other open source tools have been created to help out, notably Snorby and others like Base and Squil. Some of the advantages of Snort: You can find Snort inside AlienVault Unified Security ManagementTM (USM), not just used as a tool but fully integrated from signature updates to packet match display. Snort • Long product life with no signs of going away • Great community support • Plenty of administrative front-ends • Thoroughly proven and tested
  • 4. What’s the only reason for not running the open source IDS Snort? If you’re using Suricata instead. Though Suricata’s architecture is different than Snort, it behaves the same way as Snort and can use the same signatures. What’s great about Suricata is what else it’s capable of over Snort. Let’s run down a few examples: With so many features and capabilities it’s no wonder it’s the default network IDS inside AlienVault USM now. Suricata • Multi-Threaded - Snort runs with a single thread meaning it can only use one CPU(core) at a time. Suricata can run many threads so it can take advantage of all the CPU/cores you have available. There has been much contention on whether this is advantageous, Snort says No and a few benchmarks say Yes. • Built in Hardware Acceleration - Did you know you can use graphic cards to inspect network traffic? • File Extraction - Someone downloading malware? You can capture it right from Suricata and study it. • LuaJIT - It’s a lot of letters yes, but it’s also a scripting engine that can be used with information from the packets inspected by Suricata. This makes complex matching even easier and you can even gain efficiency by combining multiple rules into one script. • Logging more than packets - Suricata can grab and log things like TLS/SSL certs, HTTP requests, DNS requests • So much more...
  • 5. The open source IDS tool Bro, or sometimes referred to as Bro-IDS is a bit different than Snort and Suricata. In a way, Bro is both a signature and anomaly-based IDS. Its analysis engine will convert traffic captured into a series of events. An event could be a user logon to FTP, a connection to a website or practically anything. The power of the system is what comes after the event engine and that’s the Policy Script Interpreter. This policy engine has it’s own language ( Bro-Script ) and it can do some very powerful and versatile tasks. If you’re an analyst and you’ve wondered “How can I automate some of my work?” then this is the tool you’ve been looking for. Want to download files seen on the wire, submit them for malware analysis, notify you if a problem is found then blacklist the source and shutdown the user’s computer who downloaded it? Want to track the usage patterns of a user after they’ve contacted an IP from a reputation database? If you’re not an analyst than this tool will have a challenging learning curve. Since it was developed as a research tool it didn’t initially focus on things like GUIs, usability, and ease of installation. While it does many cool things out of the box many of those things aren’t immediately actionable and may be difficult to interpret. Summary: Bro • Complicated to set up • Can detect patterns of activity other IDS systems can not • Very extensible architecture • Starting to gain a larger community following
  • 6. Just as Snort became the standard for network intrusion, Kismet is the baseline for wireless IDS. Wireless IDS deals less with the packet payload but more with strange things happening inside the wireless protocols (mostly 802.11) and functions. WIDS will find unauthorized Access Points (Rogue AP Detection), perhaps one created by an employee accidentally (yes, I’ve seen that) that opens a network up. Perhaps someone has stood up an AP with the same name as your corporate network to perform MITM attacks? Kismet will find all of these. Kismet runs on a variety of platforms, even Android. Besides IDS, Kismet can also be used for more utilitarian things like wireless site surveys or fun activities like WarDriving. Kismet
  • 7. Host-based IDS systems, or HIDS, work by monitoring activity that is occurring internally on a host. HIDS look for unusual or nefarious activity by examining logs created by the operating system, looking for changes made to key system files, tracking installed software, and sometimes examining the network connections a host makes. The first HIDS systems were rather rudimentary, usually just creating md5 hashes of files on a recurring basis and looking for discrepancies (File Integrity Monitoring). Since then HIDS have grown far more complex and perform a variety of useful security functions. Also, if you need to become compliant to one of the many standards (PCI, ISO, etc..) then HIDS is compulsory. Host IDS
  • 8. In the realm of full featured Open Source HIDS tools, there is OSSEC and not much else. Go ahead and google away, I’ll wait. The great news is OSSEC is very good at what it does and it is rather extensible. OSSEC will run on almost any major operating system and uses a Client/Server based architecture which is very important in a HIDS system. Since a HIDS could be potentially compromised at the same time the OS is, it’s very important that security and forensic information leave the host and be stored elsewhere as soon as possible to avoid any kind of tampering or obfuscation that would prevent detection. OSSEC’s architecture design incorporates this strategy by delivering alerts and logs to a centralized server where analysis and notification can occur even if the host system is taken offline or compromised. Another advantage of this architecture is the ability to centrally manage agents from a single server. Since deployments can range from one to thousands of installations, the ability to make changes en masse via a central server is critical for an administrator’s sanity. When discussing OSSEC and other HIDS, there is often trepidation in installing an agent or software on to critical servers. It should be noted that the installation of OSSEC is extremely light, the installer is under 1MB, and that the majority of analysis actually occurs on the server which means very little CPU is consumed by OSSEC on the host. OSSEC also has the ability to send OS logs to the server for analysis and storage, which is particularly helpful on Windows machines that have no native and cross-platform logging mechanisms. Summary: AlienVault USM features a complete integration of OSSEC. Whether you need to install agents on servers, modify policies, or even instigate OSSEC’s active response features, it can all be done within USM. Logs from OSSEC clients are also pre- integrated into USM’s SIEM and Correlation engines. OSSEC • Agents for almost every OS • Compiled Agent for Windows • Lots of functionality other than just FIM • Rigid but simple installation process
  • 9. In comparison to OSSEC, Samhain is the best competition. But it’s very much the case of same but different when making the comparison. Samhain has the same client/server architecture but it’s not beholden to it like OSSEC is. The agent itself has a variety of output methods, one being a central server but others like Syslog, Email, and RDBMS which are greatly appreciated. Another important difference is where the analysis occurs. Unlike OSSEC the processing occurs on the client itself. While this does give an advantage in terms of processing speed it could have potential impact on your servers. However, it does put those CPU cycles to good use as it has a much stronger emphasis on FIM. Summary: Samhain Labs • Harder to install • Windows clients require Cygwin • Great FIM functionality • More flexible client
  • 10. OpenDLP isn’t really a HIDS system but it’s functionality makes it worth a mention here. This tool has one goal and that’s DLP or Data Loss Prevention. It will scan data while it’s “at-rest” looking for pieces of data like credit cards or SSNs and can be extended with regular expressions to find data that is sensitive to your organization. OpenDLP will look for this data on file systems or even inside databases on both Windows and Linux. It can also perform these scans via an installable agent or without any software installation. Open DLP • Not a FIM or HIDS technically, but interesting • Very Windows friendly • Looks for DLP only
  • 11. FIM ONLY There are quite a few FIM tools that get categorized with HIDS. Some are actively developed and others haven’t been updated in years. Since these tools only perform one function I won’t elaborate much more. A few of these are AIDE, OS Tripwire and AFick. SECURITY ONION If you’re interested in trying out some or all of the open source IDS tools from this post you could save some time and check out Security Onion. It’s a distribution of Ubuntu with everything pre-installed. Rounding out your toolset
  • 12. AlienVault USM BRINGS IT ALL TOGETHER ASSET DISCOVERY Active Network Scanning Passive Network Scanning Asset Inventory Host-based Software Inventory SECURITY INTELLIGENCE SIEM Event Correlation Incident Response THREAT DETECTION Network, Host & Wireless IDS File Integrity Monitoring VULNERABILITY ASSESSMENT Continuous Vulnerability Monitoring Authenticated / Unauthenticated Active Scanning BEHAVIORAL MONITORING Log Collection Netflow Analysis Service Availability Monitoring powered by AV Labs Threat Intelligence
  • 13. Next Steps: Play, share, enjoy! www.alienvault.com • Learn more about the IDS capabilities of AlienVault USM • Watch our 3-minute overview video • Play in our product sandbox • Start detecting threats today with a free 30-day trial • Join the Open Threat Exchange
  • 14. Joe Schreiber, Director of Solutions Architecture at AlienVault Joe has been working in hands-on roles in IT security since the days of dial-up. In fact, he has deployed and managed virtually every commercial and open source IDS tool out there. His ardor for packets landed him a job analyzing network traffic for Fortune 50 companies with AT&T Managed Security Services. In this role, Joe built one of the world’s largest SIEM systems, bringing thousands of devices under real-time security management and monitoring more than 2 petabytes of network traffic daily. About the Author