3 Days Left to Save $400 on SANS Scottsdale 2015

Intrusion Detection FAQ: What is host-based intrusion detection?

Last updated 2/12/2008
Host-based ID involves loading a piece or pieces of software on the system to be monitored. The loaded software uses log files and/or the system's auditing agents as sources of data. In contrast, a network- based ID system monitors the traffic on its network segment as a data source. Both network-based and host-based ID sensors have pros and cons, and in the end, you'll probably want to use a combination of each. The person responsible for monitoring the IDS needs to be an alert, competent System Administrator, who is familiar with the host machine, network connections, users and their habits, and all software installed on the machine. This doesn't mean that he or she must be an expert on the software itself, but rather needs a feel for how the machine is supposed to be running and what programs are legitimate. Many break-ins have been contained by attentive Sys Admins who have noticed something "different" about their machines or who have noticed a user logged on at a time atypical for that user.

Host-based ID involves not only looking at the communications traffic in and out of a single computer, but also checking the integrity of your system files and watching for suspicious processes. To get complete coverage at your site with host-based ID, you need to load the ID software on every computer. There are two primary classes of host-based intrusion detection software: host wrappers/personal firewalls and agent-based software. Either approach is much more effective in detecting trusted-insider attacks (so-called anomalous activity) than is network-based ID, and both are relatively effective for detecting attacks from the outside.

Host wrappers or personal firewalls can be configured to look at all network packets, connection attempts, or login attempts to the monitored machine. This can also include dial-in attempts or other non-network related communication ports. The best known examples of wrapper packages are TCPWrappers (http://coast.cs.purdue.edu/pub/tools/unix) for Unix and Nuke Nabber (http://www.amitar.com.au/DOWNLOADS/INTERNET/PROTECTION/NukeNabber_2_9b.html) for Windows. Personal firewalls can also detect software on the host attempting to connect to the network, such as WRQ's AtGuard (http://www.atguard.com).

In addition, host-based agents may be able to monitor accesses and changes to critical system files and changes in user privilege. Well-known commercial versions include products from AXENT (acquired by Symantec), CyberSafe, (ww.cybersafe.com) ISS, (www.iss.net) and Tripwire (www.tripwiresecurity.com). (There's also an Academic Source Release of Tripwire available if your site is an academic department of a state university.)

In addition, UNIX has a rich set of software tools to perform intrusion detection. No one package will do everything, and the software should be tailored to the individual computer that's being monitored. For example, if a machine has only a handful of users, perhaps only the connections from the outside and the integrity of the system files need to be monitored; whereas, a machine with a lot of users or network traffic may need more stringent monitoring. Types of software that help monitor hosts include: system and user log files (syslog); connectivity monitoring (TCPwrappers, lastlog); process monitoring (lsof (http://vic.cc.purdue.edu/pub/tools/unix/lsof http://freshmeat.net/projects/lsof/), process accounting); disk usage monitoring (quotas); session monitoring (options to ftpd to log all file transfers, process accounting); system auditing (audit).

UNIX host-based intrusion detection is only as good as the logging that's done. Programs can be written to analyze log files and alert the Sys Admin via e-mail or pager when something is amiss. System logging output can be sent to a remote site or modified, so that the log files are put into non-standard places to prevent hackers from covering their tracks. With the prevalence of hacking scripts, home-brew monitoring can be set up to watch for specific instances of break-ins. Some "must-reads" for the Sys Admin new to host-based intrusion is Practical Unix & Internet Security by Simson Garfinkel and Gene Spafford, (2nd edition, published by O'Reilly) and Intrusion Detection: An Introduction to Internet Surveillance, Correlation, Trace Back, Traps, and Response, by Edward Amoroso", (published by Intrusion.Net Books). Manual pages for network daemons give information on how to produce logging. Any of the xxxstat programs (vmstat, netstat, nfsstat) or software like t!'op (ftp.groupsys.com/pub/top) can help point out suspicious activity. Know your system, and know it well.

A truly effective IDS will use a combination of network- and host-based intrusion detection. Figuring out where to use each type and how to integrate the data is a real and growing concern.

Laurie Zirkle, CSE
Virginia Tech CNS