| Previous | Table of Contents | Next |
In the last chapter, you saw how scanning a system for flaws can reveal security weaknesses. The scanner periodically runs directly on the target to look at the contents of configuration files, for back-level programs with security holes, for known rogue programs, or for hacker tracks. Alternatively, you can run a network scan against a target node looking for vulnerabilities. In this chapter, you’ll examine IDSs that run at the system level. These tools run directly on the target system and look for evidence of misuse or intrusions.
Stalker is traditionally a tool that runs on an interval basis from one minute to daily. However, by the time this book is published, Stalker should be available as a real-time monitor to catch intrusions or misuses as they happen. The Computer Misuse Detection System runs in real time, and, thus, also catches intruders in the act. Real-time detection and response are valuable features beyond those provided by scanners.
Stalker and CMDS differ because Stalker is marketed as a pattern-matching tool, and the strength of CMDS is in its statistical capabilities. After reading this chapter, you will see that both pattern matching and statistical anomaly detection have advantages. You will be glad to know that neither CMDS nor Stalker introduce new security models. That is, no new subjects, objects, reference monitors, or access control lists are added to your environment when you install CMDS or Stalker. Also, both of these tools are known for analyzing audit logs, although their core architectures support analysis of other data sources, such as firewall or Web server log files.
To truly understand the strengths and limitations of system-level IDSs, you begin by learning example UNIX hacks that they can detect. After this, several sections describe Stalker and CMDS. After you know what system level tools are capable of finding, you will explore their shortcomings.
Stalker is a client-server, heterogeneous IDS for UNIX systems. In addition to providing intrusion and misuse detection, Stalker also can be used for audit reduction to whittle down a collection of audit records into meaningful information.
Stalker employs a client-server model for distributed, heterogeneous UNIX systems. The Stalker Manager software is installed on a central server from which clients are administered and monitored. Each node in the network watched by the Manager is called an Agent. The purpose of the agent code is to format the audit logs generated by the operating system into a common form. The intrusion detection engine thus is insulated as much as possible from subtle differences in the audit record layouts from different systems. From the Manager station, an administrator can configure the audit subsystems or analyze different client nodes. Today, only one node at a time can be the target of an operation, whether the operation involves configuration or analysis.
Stalker was originally intended for misuse and intrusion detection through reporting. Analysis would be scheduled by the administrator to run during the evening so that reports would be available in the morning. If an alert appeared in one of the reports, the administrator would see who did it, what happened, and how the perpetrator committed the crime. Because the audit logs show the AUID for the event, and the path to an event can be tracked by Stalker’s engine, the sequence of events leading up to the problem would be shown in the report.
Several variations of Stalker have appeared in the marketplace including WebStalker, RT Stalker, and ProxyStalker for NT. These products use the same intrusion detection engine but run in real time and provide automated responses. Combining one of these real-time IDSs with the traditional investigative capabilities of Stalker gives you a powerful suite for monitoring your security policy.
The four main components in Stalker include the following:
The Storage Manager is a set of shell scripts that can be used to migrate audit logs through a storage hierarchy. Many companies rely on home-grown or commercial storage management products to perform this task today. Therefore, this component is not discussed in detail here.
| Previous | Table of Contents | Next |