Using Nagios for Intrusion detection Miguel Cárdenas Montes Elio Pérez Calle Francisco Javier Rodríguez Calonge.

Slides:



Advertisements
Similar presentations
Presented by Nikita Shah 5th IT ( )
Advertisements

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
COEN 250 Computer Forensics Unix System Life Response.
The Case for Tripwire® Nick Chodorow Sarah Kronk Jim Moriarty Chris Tartaglia.
Operating System Security : David Phillips A Study of Windows Rootkits.
Operating system Part four Introduction to computer, 2nd semester, 2010/2011 Mr.Nael Aburas Faculty of Information.
Understand Database Security Concepts
1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.
Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Security Issues and Challenges in Cloud Computing
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Software Security Threats Threats have been an issue since computers began to be used widely by the general public.
Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Host-Based Intrusion Detection software TRIPWIRE & MD5.
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
Presented by C.SARITHA ( 07R91A0568) INTRUSION DETECTION SYSYTEM.
Information Networking Security and Assurance Lab National Chung Cheng University Investigating Unix System.
1 Network Management and SNMP  What is Network Management?  ISO Network Management Model (FCAPS)  Network Management Architecture  SNMPv1 and SNMPv2.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
1 Kyung Hee University Prof. Choong Seon HONG Network Control.
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.
COEN 252 Computer Forensics
Managing User Accounts. Module 2 – Creating and Managing Users ♦ Overview ► One should log into a Linux system with a valid user name and password granted.
Rootkits. EC-Council The Problem  Microsoft Corp. security researchers are warning about a new generation of powerful system-monitoring programs, or.
Vijay Krishnan Avinesh Dupat. A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators.
CIS 450 – Network Security Chapter 16 – Covering the Tracks.
FTP Server and FTP Commands By Nanda Ganesan, Ph.D. © Nanda Ganesan, All Rights Reserved.
Linux Networking and Security
Intrusion Detection (ID) Intrusion detection is the ART of detecting inappropriate, incorrect, or anomalous activity There are two methods of doing ID.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.
Unix Security.  Security architecture  File system and user accounts  Integrity management  Auditing and intrusion detection.
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
Linux Security. Authors:- Advanced Linux Programming by Mark Mitchell, Jeffrey Oldham, and Alex Samuel, of CodeSourcery LLC published by New Riders Publishing.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Backdoors and Rootkits.
Instructor: Dr. Harold C. Grossman Student: Subhra S. Sarkar
INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used? Tripwire.
COEN 250 Computer Forensics Unix System Life Response.
Computer virus Speaker : 蔡尚倫.  Introduction  Infection target  Infection techniques Outline.
Computer Security Threats CLICKTECHSOLUTION.COM. Computer Security Confidentiality –Data confidentiality –Privacy Integrity –Data integrity –System integrity.
Understand Network Isolation Part 2 LESSON 3.3_B Security Fundamentals.
EGEE is a project funded by the European Union under contract IST Security Monitoring Miguel Cárdenas Montes Security Contact SWE Federation.
Power of OSSEC By Donovan Thorpe CS 5910 Fall 2010.
Class Presentation Pete Bohman, Adam Kunk, Erik Shaw (ONL)
Computer threats, Attacks and Assets upasana pandit T.E comp.
C OMPUTER THREATS, ATTACKS AND ASSETS DONE BY NISHANT NARVEKAR TE COMP
VMM Based Rootkit Detection on Android
 Introduction  Tripwire For Servers  Tripwire Manager  Tripwire For Network Devices  Working Of Tripwire  Advantages  Conclusion.
UNIX SYSTEM SECURITY Tanusree Sen Agenda Introduction Three Different Levels of Security Security Policies Security Technologies Future of.
Database Security. Introduction to Database Security Issues (1) Threats to databases Loss of integrity Loss of availability Loss of confidentiality To.
Antivirus Software Technology By Mitchell Zell. Intro  Computers are vulnerable to attack  Most common type of attack is Malware  Short for malicious.
IDS And Tripwire Rayhan Mir COSC 356. What is IDS IDS - Intrusion detection system Primary function – To monitor network or host resources to detect intrusions.
Lec 3: Infrastructure of Network Management Part2 Organized by: Nada Alhirabi NET 311.
I have edited and added material.
IS3440 Linux Security Unit 9 Linux System Logging and Monitoring
Chapter 27: System Security
I have edited and added material.
TRIP WIRE INTRUSION DETECTION SYSYTEM Presented by.
Lecture 2 - SQL Injection
Security.
Chapter # 3 COMPUTER AND INTERNET CRIME
Rootly Powers Chapter 3.
Operating System Concepts
Lecture 4: File-System Interface
Presentation transcript:

Using Nagios for Intrusion detection Miguel Cárdenas Montes Elio Pérez Calle Francisco Javier Rodríguez Calonge

Overview ●The construction of GRID will require an efective system of security. ●To avoid that GRID is used by an unauthorized person and to prevent that the system is used to realize attacks against other systems. ●In this context, the Intrusion Detection System acquires special importance.

Aims ●Our aim has been the study, evalutation and implementation of a Host Intrusion Detection System based on Open Source software. ●A system based on technologies such as Nagios, SNMP, Tripwire and Chkrootkit has been implanted in the CIEMAT, in the University of Barcelona and the University Autonoma of Madrid.

Nagios Characteristics ●Nagios is a system designed for the monitoring of computers, detection of failures in services and sending notifications out to administrative contacts. ●Nagios is not specifically an IDS. ●Nagios has a modular design with a web interface, a set of plugins, support for consultations on the SNMP protocol, and ability to execute scripts on remote hosts using SSH protocol.

Nagios: Threats ●As soon as an intruder gains access to a system across a vulnerability, he frequently tries to conceal his presence and to create a privileged access, with actions like: – create a superuser account (uid=0), – create a user with empty password, – capture information using a sniffer, – hide used files in /dev directory.

Nagios: Use of scripts ●Four scripts have been created for monitoring: – how many users there are with uid=0, – users without password, – interface in promiscuous mode, – regular files hidden in the directory /dev.

What does not cover? ●A knowledgeable malicious user will try to modify certain system binaries to conceal his presence. ●Some of those binaries will be: ifconfig, netstat, ps, ls, top... ●In this case our scripts are not useful. Why?

A knowledgeable malicious user ●The modified ps will conceal the execution of the sniffer installed by intruder. ●In the case of ifconfig, it will hide the promiscuous mode of the NIC. ●The altered ls will not show the directory where the intruder has installed his files.

Tripwire. What is it? ●Tripwire is an intrusion detection tool able to detect and pinpoint changes, such as: – File additions, deletes and modifications. – File permissions and properties. – Inode number and number of links – User id and group id of owner. – Inode and file creation and modification timestamp. – Hash checking: RSA, MD5, MD4, MD2,... – Device number to which an inode points.

DB/reports. How Tripwire works? ●Tripwire establishes a ciphered database of monitored files, to detect these changes. ●Periodically the consistency is checked against the reference database. ●A report is created with the most relevant information.

Integrity of Tripwire database ●A checksum is executed and the hash is inserted in the MIB tree to test the integrity of Tripwire database in the remote nodes ●A SNMP request is used to check the hash of the database against resident information in the central platform.

Use of Tripwire ●Our aim: analyze the consistency of a set of system binaries. ●These binaries have been chosen because they are the principal targets of intruders. ●The chosen binaries are: ls, mkdir, ps, top, login, mount, netstat, su, ifconfig, syslogd, find, killall, passwd, rpc.mountd, rpc.nfsd, tcpd, xinetd.

What does not cover? ●With the popularization of the automated tools of assaults, gaining privileged accesses and concealing them has become an extremely simple task. ●After the phase of exploration and obtaining a privileged access, the intruder centres on the installation of a rootkit to conceal his presence.

Chkrootkit. What is it? ●Chkrootkit is a command line tool that detects the presence of rootkits. – Checking the promiscuous mode ni NIC. – Differences between ps and /proc information. – Elimination of entries in the wtmp file. – Checking the fingerprints of known rootkits.

Use of Chkrootkit ●In the integration of Chkrootkit with Nagios, a script has been created, and is executed by snmpd. ●Information is inserted in MIB tree. ●A SNMP request is used to gather the information.

Conclusions ●The implantation of a HIDS formed by several GNU technologies is possible. ●In the implemented facilities at Ciemat, University of Barcelona and University Autonoma of Madrid we monitor to detail the computing nodes, being capable of detecting the presence of an intruder from his initial steps.

Nagios snapshot I

Nagios snapshot II

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.