[ubuntu-hardened] Linux Intrusion Detection and you

Daniel Cid dcid at ossec.net
Thu Nov 29 03:30:47 GMT 2007 

Hi John,

Just jumping in to answer some of your comments.

-OSSEC can be configured to just monitor the logs (very low CPU
intensive) and do a few
checks that are non-intrusive.

-OSSEC can be installed as "local-only", or switch to server/agent,
which can easily
work on enterprise environments.

You also said:

"
> As it stands, no such thing I'm aware of exists.  Most stuff like OSSEC
> requires agents and all kinds of weird analysis and Web applications and
> servers and stuff to run.  Nothing can just run through your logs and
> bundle things together.
"

OSSEC doesn't require agents or web applications/databases to run. You
probably never installed it, but it just requires the most basic
stuff..


Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net


On 11/28/07, John Richard Moser <nigelenki at comcast.net> wrote:
>
>
> Jeff Schroeder wrote:
> > This is really just to get a discussion going, but what does everyone
> > think of integrating a decent set of IDS tools into Ubuntu?
>
> I'd like to define "really nice" here.
>
>   - Use as much non-intrusive detection as possible, rather than relying
>     on additional auditing capabilities.  This may include...
>     - Logs
>     - Listening to network traffic
>
>   - Additional auditing capabilities should be as light as possible, not
>     disk-filling CPU/RAM hogs.
>
>   - Allow the archival of all collected data on a remote server.  This is
>     key, because even if a home setup doesn't, the stuff should be so
>     nice that you just want to flip a big switch marked "ENTERPRISE" that
>     just puts the stuff in a central location (yes yes I know...)
>
>   - Allow light-weight analysis and viewing.  A low-CPU and low-memory
>     process should be putting this stuff through a pipeline. (1)
>
> As it stands, no such thing I'm aware of exists.  Most stuff like OSSEC
> requires agents and all kinds of weird analysis and Web applications and
> servers and stuff to run.  Nothing can just run through your logs and
> bundle things together.
>
> Point 1:  A low-CPU, low-memory process would need to be pretty intense.
>   Rather than hard-code, it would have to have a set of rules to analyze
> things and (gasp) compile them into some bytecode, then OPTIMIZE the
> bytecode, then separate the bytecode and make parts of it control higher
> level program logic differently so that a lot of the program would
> actually AVOID interpreting the bytecode.  Complex stuff.
>
> >
>
> --
> Bring back the Firefox plushy!
> http://digg.com/linux_unix/Is_the_Firefox_plush_gone_for_good
> https://bugzilla.mozilla.org/show_bug.cgi?id=322367
>

More information about the ubuntu-hardened mailing list