Breakout Session 4: Host-Based Intrusion Detection
Host-Based Intrusion Prevention and Detection
Combined Notes and Summary
Session facilitators: RuthAnne Bevier, Walter Dykas, Lynda McGinley
The breakout session discussions supported the workshop goals by topical discussions
around the focus areas:
1. Host-Based Intrusion Detection and Response
Tools and techniques describing a reactive posture and post-event ability to detect and
respond to attempted or successful intrusions. The events are primarily ill-intentioned,
but could include approved, but possibly unannounced penetration testing.
Communication and protocol was often cited as a deficiency during a multi-site or
multi-system intrusion event.
2. Host-Based Intrusion Prevention and Testing
Tools and techniques to supporting a preventative posture and pre-event actions. In
some cases these, tools and techniques could be used during an event to prevent
additional intrusion or system compromise.
For each focus area, common areas included:
1. Technical tools and processes, practices
These are presented as things needed to support either a reactive or defensive posture.
The technical tools, supporting processes, and practices needed for network and
system security described here are “host-based” using or managing system-level
information as opposed to network-specific information such as from networkintrusion detection systems and concerned with multiple hosts and network layer data
anomalies. The use of technical tools assumes the ability to acquire relevant skills and
training for the tools of choice in order the tools can be used to fullest potential.
2. Non-technical policies, processes, and training:
This focus area is primarily people related, a “soft security” area. Policies and
documented processes ensure consistency and effective implementation of
preventative and reactive measures. Inter/Intra-site communication would generally
fall in this area and was cited frequently in the workshop as a shortfall in intrusion
response.
From the host-based sessions discussions, security practices should target and be
organized around the following kinds of people:
1. System administrators, normally technical and support functions
The general concern was system administrators need greater support in implementing
tools, policy, and training to ensure the users they are supporting are cognizant of and
supportive of security controls and consequent limitations. Staff with technical
security responsibilities need additional training and access to current information on
technical tools and techniques. There is high concern with the lack of ability to
protect all systems and infrastructure with an inability to rapidly assess and resolve
new vulnerabilities across a large number of systems diverse in configuration,
technology, and geographic location.
2. General users, such as administrative, research, and collaborators
This group may be the first line of defense to intrusions, but are typically the least
trained and supportive to security-related practices. Security is perceived as an
impediment to research where research (intuitively open access and collaborative) is
considered contradictory to security (intuitively closed and isolated). Striking an
educated balance between the two extremes will ensure research is accomplished at
the same time the infrastructure on which the research depends is protected.
3. Management, or those that make and enforce security policy
In many cases, the success a site or facility security posture is due to the proactive
management support. The lack of support for user requirements and specific user
actions vis-à-vis an approved acceptable use policy (AUP), is a precursor to a security
failure. Security events are typically the exploitation of known and patchable
vulnerabilities that could be prevented.
The following are loosely (re)organized notes of the host-based intrusion
prevention/detection breakout sessions.
Many sessions participants had a technical background with the majority having
computer or network technical support as their primary job function as opposed to
primarily management. A minority of participants had a security (system, network,
computer, etc.) role as a primary job function (either as management or as technical
support). Because of their expertise, interest, or through their technical support role had
either assumed or been assigned a security responsibility in addition to other
responsibilities.
The following are primarily technical tools, processes, and practices that are used or have
been reviewed by the session participants for the purpose of preventing, testing,
detecting, or responding to host-based intrusions. Many of the tools are either Unix-like
(e.g., operating systems like Unix, Linux, AIX, HP-UX, etc.) or Windows (e.g.,
Microsoft operating systems like WinXP, Win2000, etc.). There are examples of tools or
techniques that exist in both operating system domains.
Summary of Host-Based Tools, Techniques, and Practices
Tools
Automation
Alarm Reduction
Intrusion Signatures
General
Specifics
Unix-like Tools for Intrusion Prevention and Testing
Unix-like Tools and Practices for Intrusion Detection and Response
Using a centralized syslog server
 requires configuring client to generate appropriate data
 should monitor both activity (e.g., login) successes and failures
 for openSSL, configuring syslog below debug level won't give enough helpful
info
 a primary challenge is to develop automated analyses to prioritize alerts
 consider setting all machines to log at *debug, but for large numbers of systems
be prepared to manage and monitor the significant amount of logs.
Tripwire
 is a change-auditing solution that increases control of IT operations for servers
and network devices
 http:// ww.tripwire.com/
 tripwire management console
monit
 a tool for monitoring changes to binaries
 http://osx.freshmeat.net/projects/monit/
logtool
 command-line program that will parse ASCII logfiles into a more palatable
format
 http://xjack.org/logtool/
chrootkit
 Utility to check for root kits, updated on irregular basis for new rootkit signatures
rkhunter
 useful tool to check for trojans, rootkits, and other security problem
 http://freshmeat.net/projects/rkhunter/
isatable (proxy server)
 Mandrake Linux specific tool
Swatch — generic security log monitoring tool set [reference]
 /sec — security expert correlate
 logs — written in lisp
 reference site: log analysis.org
Practices for Unix-like systems
 frequently performing 'tail' on logs
 include router logs in system log analysis
 develop intrusion signatures with automated scripts or log correlation
stateful firewall
 such as iptables that can be configured to deny, allow, and log
 similar to Windows OS based host firewalls
Windows-like Tools for Intrusion Detection and Response
Windows personal firewalls
 can log (e.g., ZoneAlarm) as well as block inbound or outbound suspicious
activity
XP firewall (mostly for SP2)
 can log much information, but much is meaningless; additional tools or training is
needed to make good use of the tool
psloglist PsLogList retrieves message strings from a computer that is monitored.
 psloglist and other Windows OS tools are available at
http://www.sysinternals.com/sysinternals
 also available: filemon, regmon, ttymon for monitoring changes to files, registry,
and tty connections
Microsoft port reporter
 A Microsoft tool inserted as a logging service for Windows that logs TCP/IP port
usage
 http://www.microsoft.com/downloads/
snare
 A system-level agent for Windows OS systems that can collects, filters and
forwards windows event logs to a Snare server or to any remote syslog host
 http://www.intersectalliance.com/projects/SnareWindows/
ePolicy Orchestrator (McAfee VirusScan)
 A tool that provides detection and prevention capability against malicious code
for Windows OS. The ePolicy Orchestrator provides a centralized management
solution that manages and aggregates attack data from each system. The product
is primarily for Windows OS, but other OS solutions are available (e.g.,
Macintosh, Linux, Solaris)
TrendMicro anti-virus at the gateway and on individual systems
 A tool that provides similar capability as many standalone system-level malicious
code prevention and detection solutions for Windows systems. Other operations
systems are supported variously.
Windows-like Tools for Intrusion Prevention and Testing
ISS/scanner for vulnerability testing
 ISS/scanner is a network-based tool for assessing configuration or software
defects. System-level tools and tools specific for databases and servers are
available. ISS/scanner is an industry standard for vulnerability testing. Expensive
for some sites to obtain and maintain.
Microsoft Baseline Security Analyzer (Microsoft)
General Tools and Practices for Most OS
perl - the scripting Swiss knife for everything; for cross-platform portability
shell commands and scripting: allow for greater solution portability just as does perl
Patch management
 server and system agent tools available to maintain software updates. Some tools
are pull from the system by the user; other tools are can be configured to allow
centralized management and pushing patches to the local system as a means of
implementing a site patching policy.
 Big Fix: an agent-based patch utility; more information at:
http://www.bigfix.com/
 Microsoft software management server
 Microsoft Windows Update
 RedHat Patch Server
Authentication management tools
 pam module
 crack, john the ripper, and others for password checking
DNS servers to monitor and watch for suspicious queries
packetshaper
 tool to assist analysis of firewall and IDS log
rainbow tables
 tables of pre-computed LM hashes for NT passwords (available on DVD); these
are available to potential hackers, so you may have use them too
lightning console
 is web-based console to assist managing and aggregation of a variety of logs
including scanning and IDS
process accounting
 process accounting is the method of recording and summarizing commands
executed on Linux
strace on Linux and other OS
 strace is a standard system call trace, i.e., a debugging tool which prints out a
trace of all the system calls made by a another process/program; also partially
available for Windows OS; use and reporting be automated to provide some
detection features like Windows malicious code detection.
lsof

lsof is an open-source, host-level intrusion-detection tool that helps determine
what processes have certain files open; as might rootkits or other trojans; use and
reporting be automated to provide some detection features like Windows
malicious code detection.
General Practices and Processes — How to Use and Configure and Tune the Tools
know your site
 to be able to find information about people and systems quickly
localize your tools
 so they are accessible from anywhere for use or updating
Site dependencies need to be considered when evaluating tools, resources, and policies,
including local versus centralized system administration, operating system experience,
technical expertise of users, and technical staff.
If centralized system management is possible, consider push out scripts looking for
suspicious directories, filenames, or to update configurations and software.
Additional logging practices and concepts
 log aggregation: multiple system report
 10 most frequent and 10 least frequent
 look for network chat, port scanning, address scanning,
 odd cross network/organization activity; sysadmin activity
 where there is no local sysadmin, centralized logging provides broader monitoring
coverage
 user interaction: multiple system reports, trending
 site dependent: multiple system reports
 moving data somewhere you can analyze it and where the data could be protected
from malicious changes
 consider network IDS, look at end point before and after encryption
 snort looking at its own traffic.
 network IDS — mrtg/rrd tools
 consider logging system alarms to check for logging system failures such as
dropped logs, locked system
 the site or institution should set a standard for log retention, possibly would need
to include the instantiation legal organization
 system time synchronization is critical for post even analysis; an institution’s
infrastructure systems should synchronized together and to external time standard
Special Concepts and Practices
 burglar alarms
 kernel hacking for honeypot tools
 log all (bash) shell changes
 consider modifying system level code such as bash and sshd to monitor for
suspicious activity and provide more information to the syslog
 create bastion hosts or login gateways to provide another layer of defense and
management for monitoring and patch management.
 honey tokens should not be used in any normal operation and would trigger an
alert to system operator or security monitoring devices
References





Abe Singer book on managing syslogs (should be released soon)
Sysinternals site for security freeware http://www.sysinternals.com/
Dykas notes
McGinley notes
Virginia notes