July 26th, 2004, 05:04 AM
Free HIDS for Windows and *nix
Looking for a FREE HIDS (Host-based Intrusion Detection System) for your Windows or *Nix box? Check out OSIRIS http://osiris.shmoo.com! It's very cool and usefull...and free open source! I've been testing it out on a couple test machines this weekend and am very impressed. And there appears to be continued development activity on it based on review of their development area (http://cvs.shmoo.com/view/projects/osiris/) - see change log http://cvs.shmoo.com/view/projects/osiris/ChangeLog.
Only a couple complaints so far, and I'm early into testing mind you:
1) It didn't detect a change to the local security policy but I did see on their TODO list to add Registry monitoring. They also plan to add NTFS permissions monitoring - cool for Windows admins out there.
2) It's a little CPU intensive during it's scans: spikes the CPU up between 30-80% on an old slow P3 but still is a little intense. I also saw that they were going to work on that and just stream the logs/information back to the management console - that will help.
So far, very cool product and I plan to install it on my home machines as another way to monitor for intrusion: remember "Defense In Depth".
If anyone trys this out as well, I would love to hear/learn what your experiences with it was.
* It's positioned as a Host Integrity Monitoring System
* The architecture is a management console on one node and then a small agent on each device you want to monitor.
* It has both a Windows (NT/2000/2003/XP) and most flavors of *nix (Linux, SunOS, OpenBSD, AIX, FreeBSD, generic version).
* What is monitoring is fully configurable - default monitors: users, groups, system dirs (WINNT, /bin, /sbin, /boot), subdirectories, file extensions, will follow links.
* Can set up to regularly scan against baseline and email administrator if differences found, when scan is done, if scan errors out, etc.
* Can accept new scan as baseline if want.
* Uses SSL to communicate between management console and agents
* Uses MD5 hashing for integrity checks
* Can point to external syslog utility
From their website: osiris.shmoo.com
Osiris is a Host Integrity Monitoring System that periodically monitors one or more hosts for change. It maintains detailed logs of changes to the file system, user and group lists, resident kernel modules, and more. Osiris can be configured to email these logs to the administrator. Hosts are periodically scanned and, if desired, the records can be maintained for forensic purposes. Osiris keeps an administrator apprised of possible attacks and/or nasty little trojans. The purpose here is to isolate changes that indicate a break-in or a compromised system. Osiris makes use of OpenSSL for encryption and authentication in all components.
As more and more computers are finding themselves on public and private networks, they are more open to attacks --vulnerable to invasion. Unfortunately, understanding the security involved often takes a back seat or the risks are not fully understood. As a result, systems are compromised.
There are various means by which an administrator can prevent or detect an attack, however, no solution is perfect. Osiris is not a complete solution to this problem, but a tool to be used in conjunction with others in an effort to maintain the integrity of a system. By being made aware of trojan applications and/or unauthorized changes to files, further damage or theft of information can be prevented.
Providing accurate and important information is key to the function of a tool such as Osiris. Common use involves periodically scanning a system and producing reports containing information that may indicate a compromise. If this information contains a lot of noise, or false positives, the cumbersome act of filtering such noise can lead to malicious activity that goes unnoticed.