| 1 |
Apparently, though unproven, at 22:45 on Friday 19 November 2010, Fatih Tümen |
| 2 |
did opine thusly: |
| 3 |
|
| 4 |
> Hi, |
| 5 |
> |
| 6 |
> I just want to beware of anything unusual instantly, preferably by |
| 7 |
> email. This is a single or two user laptop. Here are the few I gave a |
| 8 |
> shot: |
| 9 |
> |
| 10 |
> Logsentry is very simple and easy to use with its plain rule files and |
| 11 |
> check script. It just works out of the box with almost zero |
| 12 |
> configuration. I only had to add couple of rules and modify |
| 13 |
> logcheck.sh according to my syslog setup. But it seems to be |
| 14 |
> unmaintained and more importantly it is not real time. There is an |
| 15 |
> hourly cron job shipped with the package but running it more frequent |
| 16 |
> sounds like overdoing it. |
| 17 |
> |
| 18 |
> I also checked logsurfer which comes with a init script, however, no |
| 19 |
> working configuration file and sort of confusing examples. |
| 20 |
> |
| 21 |
> Aide, as an intrusion detection tool, has also very simple |
| 22 |
> configuration but it does not report in real time either. You have to |
| 23 |
> place the example cron job to cron directory of your choice manually. |
| 24 |
> Running it hourly loads the system every hour for couple of minutes. |
| 25 |
> Running it daily mean knowing about the intrusion only the day after. |
| 26 |
> I don't see the point of that, it may be too late for everything. |
| 27 |
> |
| 28 |
> I read somewhere that snort was the most used one. At first glance |
| 29 |
> there are too many configuration variables. It just seems overmuch for |
| 30 |
> what I want on my system. |
| 31 |
> |
| 32 |
> What I want is something like tail using inotify: |
| 33 |
> tail -f / | mail $ME :) |
| 34 |
> |
| 35 |
> Seriously, are there [or is there a single] tool/s for {system, |
| 36 |
> network, log} monitoring and intrusion detection, using inotify to |
| 37 |
> watch and email the instant changes on a system? What do you use and |
| 38 |
> recommend for a home pc? |
| 39 |
> |
| 40 |
> eix -cSz ntrusion and log monitor show what is available in portage |
| 41 |
> but asking to share experience is a lot better than emerge-try-unmerge |
| 42 |
> cycle. Hope you agree. |
| 43 |
|
| 44 |
|
| 45 |
We use OSSEC (http://www.ossec.net/) at work and it seems to perform well. |
| 46 |
Alerts are almost real-time on Linux (using inotify) and it's able to classify |
| 47 |
log entries into some hierarchy of importance. IOW you can cherry pick the |
| 48 |
kind of thing you want to be told about. |
| 49 |
|
| 50 |
And if you feel like being adventurous you can write plug-ins to deal with |
| 51 |
logs that do not already have a scanner. |
| 52 |
|
| 53 |
I can't comment on how much work it is, as a colleague set it up and I wasn't |
| 54 |
paying attention. I can tell you that it does come with a sane config out the |
| 55 |
box which might not be ideal for you, but is *much* better than having nothing |
| 56 |
at all. |
| 57 |
|
| 58 |
It does elementary IDS as well, but that is a different beast to log analysis |
| 59 |
(like an MTA is different to anti-spam), best handled by a different product - |
| 60 |
something in the same class as snort for example |
| 61 |
|
| 62 |
|
| 63 |
-- |
| 64 |
alan dot mckinnon at gmail dot com |
Archives