| Implementation Details |
Identifying tools that aid in detecting signs of intrusion
|
|
|
|
In each of the tool types described below, a series of events,
mechanisms, and desired data are provided that will aid you in deciding
whether or not you require a tool of this type to implement your intrusion
detection policies and procedures. It is difficult to provide specific
guidance on tool selection as the criteria by which to select varies broadly
based on each organization's needs. This is made more complex due to the
lack of uniformity in characterizations of common security tools.
In most cases, the identified tools require manual analysis in concert
with the automated data collection and reporting performed by the tool. |
|
| Identify tools that report
systems events |
Examples of tools that monitor and inspect for use of system
resources (e.g., changes to file systems) and suspicious activity
(e.g., unusual or unexpected open files, successful and failed administrative
logins, unexpected shutdowns and restarts, unusual modem activities,
unusual or excessive email activities) include:
Examples of active intrusion detection systems, including active log file
monitoring, that detect possible intrusions or access violations while
they are occurring include:
|
|
| Identify tools that report
network events |
Examples of tools that monitor and inspect network traffic
and connections (e.g., what kinds of connections, from where, and when)
both for attempted connections that failed as well as for established connections,
connections to/from unusual locations, traffic contrary to your firewall
setup, and unusual file transfer activity include:
Examples of tools that detect whether or not your network interface card
is in promiscuous mode include:
Examples of tools that detect new, unexpected services and verify the expected,
available services on your network include:
Examples of tools that check for unauthorized network probes include:
Examples of tools that detect failed attempts to connect to unsupported
services and systematic port scans include:
|
|
| Identify tools that report
user-related events |
Examples of tools that check account configurations, such
as authentication and authorization information include:
Examples of tools that monitor and inspect user activity, such as the login
activity and repeated, failed login attempts, logins from unusual locations,
logins at unusual times, changes in user identity, unauthorized attempts
to access restricted information include:
|
|
| Identify tools that verify
data, file, and software integrity |
Examples of tools that inspect operating systems and tool
configurations for possible signs of exploits, such as improperly set access
control lists on system tools, etc., include:
Examples of tools that detect unexpected changes to the contents or protections
of files and directories include:
An example of a tool that scans for trojan horses is trojan.pl. |
|
| Identify tools to examine your
systems in detail, periodically or as events warrant |
Examples of tools that reduce and scan log files to enhance
the immediate detection of unusual activity include:
Examples of tools that check log consistency for possible tampering include:
Examples of tools that check for known vulnerabilities include:
|
|
| Additional information |
All of the above tools can be obtained at one or more of
the following sites:
-
CERT/CC
Computer Emergency Response Team Coordinator Center
-
CIAC
Computer Incident Advisory Capability
-
COAST
Computer Operations Audit and Security Technology
-
DFNCERT
German Computer Emergency Response Team
-
TAMU
Computer and Information Services Network Group at Texas A&M University
-
Wietse Venema's security site
Tripwire is a registered trademark of the Purdue Research Foundation. |
