An introduction to intrusion detection systems
|An Introduction to Intrusion Detection Systems (IDS)|
A host monitor (eg: the Dragon Squire) looks at system logs for evidence of malicious or suspicious application activity in real time. It also monitors key system files for evidence of tampering.
Careful consideration is required in this area to ensure that performance is not degraded. Fortunately, Dragon Squire has been tuned to prevent high load levels and minimize any negative impact to a server's performance.
Besides being an excellent system security tool, Dragon Squire can also analyse firewall logs, router events and just about anything that can speak SNMP or SYSLOG.
Dragon Squire also monitors key system files for change, which includes access time, file size and an MD5 cryptographic checksum. The checksum is stored at the Dragon Server for off-line verification.
Dragon Squire's signature library includes suspicious events from a wide variety of operating systems. These events check for suspicious file transfers, denied login attempts, physical messages (like an Ethernet interface set to promiscuous mode) and system reboots. The library also includes security messages from many applications and services such as Secure Shell, Sendmail, Qmail, Bind and Apache Web servers.
Dragon Squire also has the ability to monitor log files from a variety of open source and commercial firewalls. These logs may be read from a local SYSLOG server or sent to Dragon Squire directly via SNMP.
Writing signatures for Dragon Squire is very easy. Almost any flat ASCII log file can be processed for unique security information.
Dragon Squire has been engineered to have little impact on the servers it is protecting. The MD5 checksum, log searching and communication with the Dragon Server have all been optimized to minimize system performance impact.
Dragon Squire is also an excellent complement to the Dragon Sensor network IDS. There are many network attacks (such as web attacks sent over an SSL connection), which cannot be observed by the Dragon Sensor (or any other NIDS). Correlating these host and network events (along with firewall information) is accomplished at the Dragon Server.