[ubuntu-hardened] Linux Intrusion Detection and you

John Richard Moser nigelenki at comcast.net
Thu Nov 29 03:49:49 GMT 2007 


Daniel Cid wrote:
> Hi John,
> 
> Just jumping in to answer some of your comments.
> 
> -OSSEC can be configured to just monitor the logs (very low CPU
> intensive) and do a few
> checks that are non-intrusive.
> 
> -OSSEC can be installed as "local-only", or switch to server/agent,
> which can easily
> work on enterprise environments.
> 
> You also said:
> 
> "
>> As it stands, no such thing I'm aware of exists.  Most stuff like OSSEC
>> requires agents and all kinds of weird analysis and Web applications and
>> servers and stuff to run.  Nothing can just run through your logs and
>> bundle things together.
> "
> 
> OSSEC doesn't require agents or web applications/databases to run. You
> probably never installed it, but it just requires the most basic
> stuff..
> 
> 

Interesting.  The stuff I've always seen shows all kinds of available 
agents for OSSEC, no mention of a light mode.

I'm running on 2GB RAM and I have thunderbird, firefox, and xchat open 
all the time... and rhythmbox... and pidgin... and I still manage to 
come within 300MB of the top of memory easily.  :|  I oppose anything 
that eats an unruly amount of memory, especially if the justification 
involves a lot of bulky stuff like a web server etc.



> Thanks,
> 
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
> 
> 
> On 11/28/07, John Richard Moser <nigelenki at comcast.net> wrote:
>>
>> Jeff Schroeder wrote:
>>> This is really just to get a discussion going, but what does everyone
>>> think of integrating a decent set of IDS tools into Ubuntu?
>> I'd like to define "really nice" here.
>>
>>   - Use as much non-intrusive detection as possible, rather than relying
>>     on additional auditing capabilities.  This may include...
>>     - Logs
>>     - Listening to network traffic
>>
>>   - Additional auditing capabilities should be as light as possible, not
>>     disk-filling CPU/RAM hogs.
>>
>>   - Allow the archival of all collected data on a remote server.  This is
>>     key, because even if a home setup doesn't, the stuff should be so
>>     nice that you just want to flip a big switch marked "ENTERPRISE" that
>>     just puts the stuff in a central location (yes yes I know...)
>>
>>   - Allow light-weight analysis and viewing.  A low-CPU and low-memory
>>     process should be putting this stuff through a pipeline. (1)
>>
>> As it stands, no such thing I'm aware of exists.  Most stuff like OSSEC
>> requires agents and all kinds of weird analysis and Web applications and
>> servers and stuff to run.  Nothing can just run through your logs and
>> bundle things together.
>>
>> Point 1:  A low-CPU, low-memory process would need to be pretty intense.
>>   Rather than hard-code, it would have to have a set of rules to analyze
>> things and (gasp) compile them into some bytecode, then OPTIMIZE the
>> bytecode, then separate the bytecode and make parts of it control higher
>> level program logic differently so that a lot of the program would
>> actually AVOID interpreting the bytecode.  Complex stuff.
>>
>> --
>> Bring back the Firefox plushy!
>> http://digg.com/linux_unix/Is_the_Firefox_plush_gone_for_good
>> https://bugzilla.mozilla.org/show_bug.cgi?id=322367
>>
> 

-- 
Bring back the Firefox plushy!
http://digg.com/linux_unix/Is_the_Firefox_plush_gone_for_good
https://bugzilla.mozilla.org/show_bug.cgi?id=322367

More information about the ubuntu-hardened mailing list