Saturday, December 4, 2010

Advanced Intrusion Detection Environment (AIDE) -host based IDS for Linux

Advanced Intrusion Detection Environment or AIDE is a host-based IDS & free substitute for Tripwire.
It scans the filesystem and logs the attributes of important files, directories, and devices. Each time it runs, it compares its scanned attributes against the previous, "known good" data, and alerts you if something has changes.
AIDE works by reading in the configuration file /etc/aide/aide.conf that contains
1. the attributes of each entry to log. There are currently thirteen attributes that AIDE can log — including permissions, owner, group, size, all three timestamps (atime, ctime, and mtime), plus lower-level stuff like inode, block count, number of links, and so on.
You will find these codes in the conf file.



  SizeOnly = s+b
 SizeAndChecksum = s+b+md5+sha1
 ReallyParanoid = p+i+n+u+g+s+b+m+a+c +md5+sha1+rmd160+tiger+whirlpool
The first line activates just the size (s) and block count (b) attributes. The second adds MD5 and SHA-1 hashes, and the third logs just about every supported feature, including inode (i), timestamps (m, a, and c) and a fistful of additional hashes.
 AIDE supports multiple has algorithms with which it can generate checksums for each file. By default, the list includes MD5, SHA-1, SHA-256, SHA-512, RMD-160, Tiger, HAVAL, and CRC-32. If you compile AIDE with the mhash option to the configuration script, you can also use GOST and Whirlpool hashes.

2. list of directories & files to scan
Below upper  rule definitions you'll find a lines listing the directories and files to check, using regular-expression based formulas. For example:
/etc SizeAndChecksum
/sbin ReallyParanoid
/var Size
!/var/log/.*
!/var/spool/.*
The first three lines are "positive" expressions, which tell AIDE to include everything that matches the regular expression. The leading exclamation point on the last two indicate a "negative" expression, which in this case says to exclude the rapidly-changing /var/log/ and /var/spool/ directories.
Similarly you can give path to other folders which you want to be monitored like www folder.
For further experimenting the options & features, please go through the manual.
Main site:http://aide.sourceforge.net/
Download link: http://sourceforge.net/projects/aide


References:http://www.linux.com/learn/tutorials/386908:weekend-project-intrusion-detection-on-linux-with-aide
http://aide.sourceforge.net/
Posted by Unknown at 12/04/2010 07:21:00 PM
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)