Motivation Potential Solutions Samhain SAMHAIN An open-source Host Intrusion Detection System (HIDS)
Motivation Potential Solutions Samhain A simple question How can you defend against Intrusions?
Firewalls A building without openings is useless
Firewalls
Firewalls A human body without openings would be dead
Firewalls
Firewalls A server without open ports is pointless
Firewalls
Firewalls Intruders enter through open ports not through the wall!
NIDS Search network traffic for known attack patterns
NIDS This is a known attack on health
NIDS But the attack can look different..
NIDS..and may come in disguise.
NIDS Is this an attack on your server? There is a major center of economic activity, such as Star Trek, including the Ed Sullivan show. The former Soviet Union... Or is it just spam?
NIDS Is this an attack on your server? There is a major center of economic activity, such as Star Trek, including the Ed Sullivan show. The former Soviet Union... It is ix86 binary executable code! English Shellcode, Mason et al. 2009
NIDS Recognizing an attack by pattern matching is difficult at best
File Integrity Verification Fingerprints are unique
File Integrity Verification So are cryptographic checksums MD5 fingerprint.jpg: 6d49 6d22 f8c8 b2c7 d4ab d39e 0054 9d7a
File Integrity Verification Firewalls and NIDSs are convenient, because they can be installed at a central point may be circumvented
File Integrity Verification File integrity verification is very robust requires monitoring of all individual hosts
Motivation Potential Solutions Samhain Introduction Server Clients Beltane II Samhain Samhain is an open-source Host Intrusion Detection System (HIDS) > with central management <
Motivation Potential Solutions Samhain Introduction Server Clients Beltane II A complete Samhain system
Motivation Potential Solutions Samhain Introduction Server Clients Beltane II What you get Samhain provides a centralized client-server host monitoring system
Motivation Potential Solutions Samhain Introduction Server Clients Beltane II Samhain Host Integrity Checks File integrity verification Logfile monitoring Login/logout monitoring Hidden process detection Open port detection
Motivation Potential Solutions Samhain Introduction Server Clients Beltane II The Samhain Server
Motivation Potential Solutions Samhain Introduction Server Clients Beltane II The Samhain Server Stores critical data (configuration, baseline) Authenticates connecting clients Serves configuration and baseline data Receives reports and logs them to a RDBMS (MySQL, PostgreSQL, Oracle)
Motivation Potential Solutions Samhain Introduction Server Clients Beltane II The Samhain Clients
Motivation Potential Solutions Samhain Introduction Server Clients Beltane II The Samhain Clients At startup download configuration and baseline data from the server Perform integrity checks as configured Report anomalies to the server
Motivation Potential Solutions Samhain Introduction Server Clients Beltane II The Beltane II Console
Motivation Potential Solutions Samhain Introduction Server Clients Beltane II The Beltane II Console Review reports from clients Server-side updates of baseline data Check client status Edit and reload configuration data Multiple users with different roles
Motivation Potential Solutions Samhain Introduction Server Clients Beltane II Thank you for your attention!