1 |
Apparently, though unproven, at 22:45 on Friday 19 November 2010, Fatih Tümen |
2 |
did opine thusly: |
3 |
|
4 |
> Hi, |
5 |
> |
6 |
> I just want to beware of anything unusual instantly, preferably by |
7 |
> email. This is a single or two user laptop. Here are the few I gave a |
8 |
> shot: |
9 |
> |
10 |
> Logsentry is very simple and easy to use with its plain rule files and |
11 |
> check script. It just works out of the box with almost zero |
12 |
> configuration. I only had to add couple of rules and modify |
13 |
> logcheck.sh according to my syslog setup. But it seems to be |
14 |
> unmaintained and more importantly it is not real time. There is an |
15 |
> hourly cron job shipped with the package but running it more frequent |
16 |
> sounds like overdoing it. |
17 |
> |
18 |
> I also checked logsurfer which comes with a init script, however, no |
19 |
> working configuration file and sort of confusing examples. |
20 |
> |
21 |
> Aide, as an intrusion detection tool, has also very simple |
22 |
> configuration but it does not report in real time either. You have to |
23 |
> place the example cron job to cron directory of your choice manually. |
24 |
> Running it hourly loads the system every hour for couple of minutes. |
25 |
> Running it daily mean knowing about the intrusion only the day after. |
26 |
> I don't see the point of that, it may be too late for everything. |
27 |
> |
28 |
> I read somewhere that snort was the most used one. At first glance |
29 |
> there are too many configuration variables. It just seems overmuch for |
30 |
> what I want on my system. |
31 |
> |
32 |
> What I want is something like tail using inotify: |
33 |
> tail -f / | mail $ME :) |
34 |
> |
35 |
> Seriously, are there [or is there a single] tool/s for {system, |
36 |
> network, log} monitoring and intrusion detection, using inotify to |
37 |
> watch and email the instant changes on a system? What do you use and |
38 |
> recommend for a home pc? |
39 |
> |
40 |
> eix -cSz ntrusion and log monitor show what is available in portage |
41 |
> but asking to share experience is a lot better than emerge-try-unmerge |
42 |
> cycle. Hope you agree. |
43 |
|
44 |
|
45 |
We use OSSEC (http://www.ossec.net/) at work and it seems to perform well. |
46 |
Alerts are almost real-time on Linux (using inotify) and it's able to classify |
47 |
log entries into some hierarchy of importance. IOW you can cherry pick the |
48 |
kind of thing you want to be told about. |
49 |
|
50 |
And if you feel like being adventurous you can write plug-ins to deal with |
51 |
logs that do not already have a scanner. |
52 |
|
53 |
I can't comment on how much work it is, as a colleague set it up and I wasn't |
54 |
paying attention. I can tell you that it does come with a sane config out the |
55 |
box which might not be ideal for you, but is *much* better than having nothing |
56 |
at all. |
57 |
|
58 |
It does elementary IDS as well, but that is a different beast to log analysis |
59 |
(like an MTA is different to anti-spam), best handled by a different product - |
60 |
something in the same class as snort for example |
61 |
|
62 |
|
63 |
-- |
64 |
alan dot mckinnon at gmail dot com |