[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-misc
Subject:    Re: Advice on using intrusion detection
From:       Aaron Mason <simplersolution () gmail ! com>
Date:       2020-11-25 5:22:43
Message-ID: CAM2Ksw6SMWYDszP9tZZZbYpd+Pki__5py3FU4ySLgxSMZOH1Zg () mail ! gmail ! com
[Download RAW message or body]

On Sun, Nov 22, 2020 at 1:14 AM Nick Holland
<nick@holland-consulting.net> wrote:
>
> On 2020-11-20 17:15, Erik Lauritsen wrote:
> > Is it recommended to run some kind of intrusion detection on an
> > OpenBSD router/firewall?
> >
> > I suspect that any kind of system like Snort or Suricata will give a
> > lot of false positives?
>
> [SNIP]
>
> One thing I have been doing for a while is rsync --link-dest backups of
> systems, both in-house and at various workplaces.  FANTASTIC tool,
> giving incredibly "useful" backups, with relatively low impact and
> resource requirements.  My I use a -v on rsync to get verbose backups,
> and log it to a file.
>
> Just recently, I realized these logs are basically a "changed file"
> report, which is a starting point for a file alteration reporting
> tool.  Combine that with a carefully crafted "ignore" file (you
> can do that with a grep -vf ignorefile logfile), and you have an
> interesting file monitoring system.
>

This sounds similar to what I do with logs - something Marcus Ranum
called "artificial ignorance". Using grep, you fill a file with
patterns to remove things you know aren't interesting, and once you
apply it to your logs what remains will absolutely be interesting.  If
anything else uninteresting shows up, update the pattern file to
filter those entries out. I used this method on the logs of my
OpenBSD-based Request Tracker server and found that the reason a
commercial piece of software running on a Hyper-V virtual machine kept
needing to be reactivated was because the server's MAC address would
regularly change if you left it set to Dynamic.  Really, Microsoft?

> The painful part with any such system is crafting the list of what
> to ignore vs. what to panic over.  Everyone wants to tick the
> checkbox that says "We have an intrusion detection system", and
> everyone wants one of two results: "No problem" and "intruder
> detected".  So far, I don't think any tool does that.  An IDS
> without careful human monitoring is just for show (and it's a
> potential security risk of its own), and more likely to be the
> cause of a problem than a solution.  Careful monitoring takes
> time and resources.
>

Problems like "we're only getting 56Mbps from our 1000mbit fibre
connection". Yes, really. Bypassing the IDS/IPS actually led to better
performance - or at least better numbers on the speed test. You got
some 'splaining to do, Sophos.

> One nifty thing I have found in "rolling my own" is that I found
> a lot of little oddities, no security problems, but things that
> needed fixing.  I'd call that a win.
>

Exactly, it just takes effort.  Something that is in short supply
whether by overwork or laziness.

> Nick.
>


-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse

[prev in list] [next in list] [prev in thread] [next in thread]