Page 1 of 1

Free intrusion detection?

Posted: Thu Mar 18, 2004 1:39 am
by Jonathan
I've been pointed towards AVG enough times to believe it is probably a pretty good free antivirus program. I may install it after I get my P4 system assembled, because what else am I going to do with my Hyperthreading? (Answer: run SETI@home in the background 24/7.) However, I think the idea of virus scanners are, at best, a break even deal, and probably a losing proposition.

Traditionally, as far as I know, virus scanners have virus definition files that contain some signature for every virus the scanner knows about. The scanner searches incoming files and tries to match against these signatures. If it finds one, it has some rule for that virus to try to clean it. You must continually update your virus definition files in order to have protection against the latest viruses. This is a maintenance hassle. But if one of these fast-spreading worms, for instance, hits you, you will have no protection because the virus scanner knows nothing about this. The time from bug to exploit is ever-decreasing and a traditional virus scanner cannot help. In fact, they tend to give a lot of people a false sense of security in my experience.

Intrusion detection is a kind of program I have read about recently. The idea is you look for virus-y types of behaviors and lock shit down and notify users when you see something wrong. I think this is a much better sort of idea, though all the references to this type of software I have seen are for enterprise-level systems, not for home use. Zone Alarm has some limited capabilities along these lines. If a program you haven't authorized to connect to the net tries to send data down the pipe, Zone Alarm catches that and lets you know what the deal is.

Does anyone know anything about this kind of software? I'm looking for basically anything that's free: open source, shareware, Win32, Linux, doesn't matter. I'm just not going to pay for it, is all.

While we're on the topic, what do you do at home to guard your system? I currently have a hardware firewall and practice common sense--I don't run executables from untrusted sources. I don't currently use a software firewall or run a virus scanner. I run an SSH server that's globally visible but I don't remotely log in as root. I don't keep up-to-date with patches, either with Linux or Windows. I worry occasionally about the Linux box, but I figure as long as there aren't any SSH security exploits (ha!) I should be okay since the rest of the box is behind the firewall.

In the semi-far future, I'd like to see OS virtualization used for security purposes. That is, I BT the latest version of Photoshop or whatever and install it on a virtual disk image that's been carefully sandboxed. I use it some and then my intrusion detection software lets me know it's carrying Bagle.748, so I delete that virtual OS and carry on my merry way. We'll see.

Re: free intrusion detection?

Posted: Thu Mar 18, 2004 3:04 am
by quantus
Dwindlehop wrote:Does anyone know anything about this kind of software? I'm looking for basically anything that's free: open source, shareware, Win32, Linux, doesn't matter. I'm just not going to pay for it, is all.

While we're on the topic, what do you do at home to guard your system?

In the semi-far future, I'd like to see OS virtualization used for security purposes.
Well, along the lines of virus scanning programs are things like ad aware which get rid of a bunch of other crap that's probably on your windows boxes just from browsing. Spybot Search & Destroy is like Ad Aware, but it scans for some different things and has some preventative measures that can be taken to keep from repeatedly getting some spyware.

Zone Alarm is probably your best bet when looking for something to help keep your computer from broadcasting virus activity to the web and stuff. It has a free version that just doesn't let you use some extra stuff (that's not too useful anyway). "Buy" a serial number and you get the full version.

Windows is moving towards OS virtualization, but with a bit more granularity such as process sandboxing. Of course, M$ probably won't get it right for a long time to come. Also, it needs better hardware support to keep a process from subverting the OS and taking over.

Posted: Thu Mar 18, 2004 5:39 pm
by VLSmooth
First off, Zone Alarm is very good, albeit very paranoid and hence a pain to setup at first.

As for open source, Snort is VERY popular and worth looking into if you're interested in IDS.

Whee, some of the useful stuff I learned from Information Warfare (besides lots about DDoS, applied common sense, packet sniffing telnet, etc)

* Intrusion Detection Services

Posted: Thu Mar 18, 2004 6:39 pm
by Jonathan
I don't need Ad Aware. I don't use Kazaa, I don't have Gator-enabled products, and I use Mozilla.

I am most worried about remote root exploits and internet worms. Snort looks like a good match for my needs. I'll play around with it some later.

Posted: Thu Mar 18, 2004 7:00 pm
by quantus
Dwindlehop wrote:I don't need Ad Aware. I don't use Kazaa, I don't have Gator-enabled products, and I use Mozilla.
Does Amber use Mozilla too? You'd be suprised what kind of crap can get installed on your computer through IE without you knowing about it. Install Spybot, run the innoculation, and have it alert you every time something is blocked. That'll show you what I mean. Advertisers are getting way too pushy about the info they want from people's browsing habits.

Posted: Thu Mar 18, 2004 8:11 pm
by Jonathan
Yes, Amber uses Mozilla.

Posted: Thu Mar 18, 2004 8:17 pm
by VLSmooth
Btw:
  • I use IE (*gasp*)
  • Don't use Ad Aware (*double gasp*)
  • Don't have spyware (*triple gasp*) 8)
I also keep track of all running processes, but maybe that's just me...

Posted: Thu Mar 18, 2004 10:36 pm
by quantus
VLSmooth wrote:I also keep track of all running processes, but maybe that's just me...
Ok, so do I, but it doesn't stop things like my home page from being hijacked or the search bar from being hijacked and turned on. It also doesn't stop random data directories from being created and/or accessed. Finally, your hosts file isn't protected and people could be redirecting you without you even knowing it. These are things that Spybot either prevents in the first place or can fix after a scan.

Anyways, my definition of spyware has grown beyond simple things like gator. These are all attacks against how we use the internet all for the purposes of spying on what/where we browse and to push unwanted advertising at us. We could make useless laws banning this stuff or we could simply hold people responsible for the crappy software they write which allows this to occur.

Using mozilla is fine, except that often the only browser used for testing a webpage is the latestest version of IE. We could blame peoples laziness or again blame M$ and everyone else for not making and adhering to standards.

Posted: Thu Mar 18, 2004 11:58 pm
by Jonathan
You know, I really don't mind the laziness of a website designer who only tests with IE. Mozilla usually renders everything just fine. I find the people who design specifically for IE annoying, but I'm willing to let that slide. What I absolutely cannot stand is people who do explicit user agent checks for IE and then redirect me to a "Netscape" page telling me to download IE 4.0 or greater. That's just fucking stupid.

Posted: Fri Mar 19, 2004 2:18 am
by Jason
I theoretically should know a lot about this stuff since it's directly related to my work. I need to put it in the private forum though since I can't make it easily searchable. Also, I really don't feel like getting into this right now since I had an 11 hour day and this morning my entire team got ripped a new a-hole because we're behind schedule and overbudget.