I was thinking about getting a Intrusion Detection system set up. Im running Mandrake & it has a system called 'Prelude' that is installed. The only problem is that although it probably can do the job, it is not very user friendly. As a newbie i would have problems interpreting the data from it.

Can anyone suggest a good IDS for Linux that is relatively easy to install, operate and maintain?? (By 'relatively easy' i mean something that would take me a day or so to understand how to operate it)

Also has anyone had experience of using a program called 'The Deception Toolkit' - if so what did you think of it?

Thanks

Intrusion Detection is the sysadmin's job and I'v never seen many simple sysadmin tools. Sorry. A firewall and careful use of the root account should make it unnecessary in non-commerical cases.

I never heard of the Deception Toolkit before so I looked it up. New to me....but, I saw in the news the other day that Yahoo is offering something similar to paid subscribers. More research may tell you what you want to know.

My Intrusion Detection System:

%cat /var/log/secure | more
%cat /var/log/syslog | less
%cat /var/log/firewall.log | most

Then you do have a firewall.

Tripwire

AIDE is also good for the things tripwire does and its free.

http://www.cs.tut.fi/~rammer/aide.html

(caveat: I haven't tried it yet, but am planning to set it up this weekend)

Sounds interesting, please post your findings once installed.
I like the price of free

Most people do

But don't miss out on the smell of freedom along with your free as in beer.

neilcpp: Can anyone suggest a good IDS for Linux that is relatively easy to install, operate and maintain?? (By 'relatively easy' i mean something that would take me a day or so to understand how to operate it)
It's a hybrid IDS, it's got centralized logging and reporting, GTK GUI control. Shouldn't be hard. Or do you mean you lack the basic knowledge to *run* and IDS?

Also has anyone had experience of using a program called 'The Deception Toolkit' - if so what did you think of it?
I think nothing of it. I haven't tried it and I see no reason to. What you're doing is trying to lure crackers in by faking networked services. If I would want to do that I'd choose to build a proper honeypot system.


jayjwa: My Intrusion Detection System:(etc)
...IMHO isn't good enough, cuz you can't track changes in the filesystem.
A host-based network-scrubbing IDS should really be accompanied by a


Mossie: AIDE is also good for the things tripwire does and its free.
AFAIK the academic version of Tripwire is still free, innit?


Anyway, I think this is a good thread because the subject isn't much talked about while it IMHO is a crucial part of being capable to audit a host... Aide was set up to counter tripwire going commercial, and I've been nothing but pleased using it. Aide is easy to set up using different config files and databases which I think is good for spreading coverage and system load. One thing it doesn't do compared to tripwire is sign it's own databases, so it's essential you don't forget to save a copy of your initial* databases and the binary to read-only media.

*Filesystem integrity databases are best set up after installing the OS, this is the only way to achieve max surety whatever you're logging is sane.

What Aide has in favour over Integrit and Osiris (there's many more players in the field) is the fact it can make use of compressed databases. Tagging a system with Aide would give you aprox 2.5MB in gzipped db's, Integrit nearly 10, and Osiris over 12. On "modern" systems space isn't an issue, but if you count in the fact you gotta generate output db's as well and back 'em up to ro media then it does matter.
What Samhain has in favour over the rest is it can sign and encrypt databases and remain a continuously running process (AFAIK). One thing tripwire, Aide and Samhain have in common is you can set up a centralized server and host the client db's there, of the three only Samhain has that function incorporated in it's design tho.

Personally, I'd go with the traditional Snort and ACID. Snort is relatively straightforward to setup and you can add ACID (along with PHP, MySQL and Apache) for detection. IMHO, Snort's probably got to have the largest audience out there for IDS. Prelude is a relatively new product.

Tripwire (still free under sourceforge) is good to know what changes have happened locally versus intrusion via network (which is what Snort detects).

That said, these are merely tools for helping someone detect an attack. They will not replace knowledge or understanding. Newer attacks are not detected by many of these products (think along the lines of AV software which requires daily updates and new signatures to detect attacks). Security is often a layered system (like an onion.. ). No one tool will solve your answer but being deligent and aware will help you mitigate attacks.

If you want to setup a honeypot it's better to do it on a seperate system. Honeypots are meant to draw attackers away from good stuff. The Honeynet Project is a good place to get information about honeypots, honeynets and honeytokens. I haven't played with TDK but have been mucking about with honeyd and bait'n'switch.

Hope this helps.

don't expect your logs to provide accurate information after you've been hacked. rootkits are made to hide the appearance of the hacker, that includes altering log files, and replacing "netstat", "ps", etc...

Thanks for this infomation - im going to try to install AIDE behind my firewall. Im not going to waste time with the 'deception toolkit' - I misunderstood what this suite of programs / scripts is designed to do!