Tuesday, October 6, 2009

HIDS

My last post on IDS will be a high level description of Host Based Intrusion Detection.
Host Based Intrusion Detection, or HIDS, is a sensor that is based on the monitored device itself, as the name suggests. Whereas a NIDS monitors an entire network segment, and all of the hosts that talk on it, a HIDS watches for activity on one computer.
There are several ways that a HIDS accomplishes this. The first one is by monitoring the logs from the application that the server hosts. A policy will be applied to the HIDS telling it where the log file resides, what format it's in, how often it rotates and other config settings, such as whether the HIDS needs to do conversion from evasion tactics, like using uuencoding or hex equivalents to mask strings. The log is tailed and compared to signatures, like a NIDS, and if a pattern matched the software alerts.
Host based also does system integrity checking, similar to Tripwire. Certain key system files are monitored for things like their MD5 sum, file creation and modification times and size. If a file is modified or removed, the system will send an alert. The system can also monitor the system logs (like Event Viewer on a Windows box or logfiles in var/log on a Linux box) and alert on certain entries. It can aslo monitor the registry on a Windows box for certain key modifications or new entries, like a new process added to the Run key.
And lastly, the HIDS may have the ability to monitor the kernel of the system itself. If a process puts a system call or interrupts hook into the kernel, which could be indicative of a rootkit, the program can alert and identify the location on the file system of the process that initiated it.
This is is a very simple, high level overview of IDS. If you are new to network security or just interested in learning more, there are tons of good books on the subject. One of the better ones I've read is "Network Intrusion Detection" by Stephen Northcutt and Judy Novak. Stephen also co-authored "Intrusion Signatures and Analysis", which I consider to be the companion work, and would recommend reading both.

No comments:

Blog Archive