any test application to help detecting intrusions on a host?
 

Hi,

I am working on some distribuetd system architecture which includes hosts on both synchronous and asynchronous network. I was wondering if there is any application out there which can help in finding out whether the node has been compromised? By saying this I mean any test application running hand to hand with some IDS, so that by executing application and making IDS monitor it, major categories of intrusions, if not all, can be detected. Let's say I am not running any specific applications/services on the nodes which an IDS can monitor and need some benchmark application just to keep monitoring the status of the node to be intruded/non-intruded. I know it sounds wiered but lets say it's a system of passively replicated nodes in which one (primary) is working at time but since at some stage it might need to switch over to secondary nodes (on development of some fault), i need to ensure that the nodes which are passive are fine/secure. How to do that? I came accross some applications on the internet talking about testing IDS but I guess that would be something different from this scenario.

Cheers.

I think you are probably looking for a file integrity checker like Tripwire-portable or Aide. Both take a bit of work to setup and configure properly, but once done, you're good to go. You can also install IDS software locally to simply check for common intrusions.

If you are looking at network detection and monitoring, Is this what you are looking for?

Powerful Multi-Platform Analysis

Ethereal is used by network professionals around the world for troubleshooting, analysis, software and protocol development, and education. It has all of the standard features you would expect in a protocol analyzer, and several features not seen in any other product. Its open source license allows talented experts in the networking community to add enhancements. It runs on all popular computing platforms, including Unix, Linux, and Windows.

You can also down load and burn Whax linux. It is a Live CD distro from a development team in Isreal.

The webpage is: http://iwhax.net/modules/news/

You can also get more info from distrowatch; which is where I found out about this distro.

I have D/Led it and burned it so I know it is a working product. Basically what they did is they took the Slax distro and stripped every apllication out of Slax except some cd-recording programs and replaced it with their entire suite of "hacktools" and exploits.

I did not test any of the tools but I did boot it on a live network and got set up as a client and did some web browsing.

I am familiar with the Slax Live CD as well as this one and I find Whax to be somewhat slow compared to the original Slax.

When I did some fact checking at the developer website I found that they are actively developing and maintaining the distro.

In scanning their forum they sound like an active probe team working on the tools of the trade.

If you are looking for more "legitimate" software you may wish to run a search on Networkworld's website since they review security and monitoring software.

goto: www.networkworld.com

I hope this helps.

Thanks for your responses but I am not sure I fully understand them. I will probably get back to it after digging out a bit further the things mentioned.

In te meantime can I ask a few more questions?

1. As far as I understand, you need to have some application running on your system to be able to run a host-based IDS on it (I am particularly interested in anomaly-based IDS). And I assume that IDS needs to be configured on those applications so that it knows the normal characteristics and be able to monitor it. Can anyone correct me if this concept is wrong? If this is right then am I right in saying that in order to protect your system completely all applications running on the node should have corresponding IDS(s) monitoring them?

2. In continuation with the first question, can I have my application (a communication protocol running on distributed nodes) running on that node and an IDs monitoring that appliaction only? (say I am only interested in securing the system as far as my application is concerned so that no intruder can get into the system by attacking my application)

3. I am making some assumption during my work. One of them is that on the synchronous network (e.g. a company's LAN), among the multiple nodes participating in the execution, not all of them are compromised simultaneously. I am assuming that atleast one would remain unaffected/un-intruded atleast for some time. Is it an unrealistic assumption?

by the way I intend to use either RH or Fedora.

cheers.