Motivation Potential Solutions Samhain
SAMHAIN
An open-source Host Intrusion Detection
System (HIDS)
Rainer Wichmann
Rainer Wichmann The Samhain HIDS
Motivation Potential Solutions Samhain
A simple question
How
can you defend against
Intrusions?
Rainer Wichmann The Samhain HIDS
Motivation Potential Solutions Samhain Firewalls NIDSs File Integrity Verification
Firewalls
A building
without openings
is
useless
Rainer Wichmann The Samhain HIDS
Motivation Potential Solutions Samhain Firewalls NIDSs File Integrity Verification
Firewalls
Rainer Wichmann The Samhain HIDS
Motivation Potential Solutions Samhain Firewalls NIDSs File Integrity Verification
Firewalls
A human body
without openings
would be
dead
Rainer Wichmann The Samhain HIDS
Motivation Potential Solutions Samhain Firewalls NIDSs File Integrity Verification
Firewalls
Rainer Wichmann The Samhain HIDS
Motivation Potential Solutions Samhain Firewalls NIDSs File Integrity Verification
Firewalls
A server
without open ports
is
pointless
Rainer Wichmann The Samhain HIDS
Motivation Potential Solutions Samhain Firewalls NIDSs File Integrity Verification
Firewalls
Rainer Wichmann The Samhain HIDS
Motivation Potential Solutions Samhain Firewalls NIDSs File Integrity Verification
Firewalls
Intruders enter through
open ports
not through the wall!
Rainer Wichmann The Samhain HIDS
Motivation Potential Solutions Samhain Firewalls NIDSs File Integrity Verification
NIDS
Search network traffic for
known attack patterns
Rainer Wichmann The Samhain HIDS
Motivation Potential Solutions Samhain Firewalls NIDSs File Integrity Verification
NIDS
This is a known attack on health
Rainer Wichmann The Samhain HIDS
Motivation Potential Solutions Samhain Firewalls NIDSs File Integrity Verification
NIDS
But the attack can look different..
Rainer Wichmann The Samhain HIDS
Motivation Potential Solutions Samhain Firewalls NIDSs File Integrity Verification
NIDS
..and may come in disguise.
Rainer Wichmann The Samhain HIDS
Motivation Potential Solutions Samhain Firewalls NIDSs File Integrity Verification
NIDS
Is this an attack on your server?
There is a major center of economic activity, such as Star Trek,
including the Ed Sullivan show. The former Soviet Union...
Or is it just spam?
Rainer Wichmann The Samhain HIDS
Motivation Potential Solutions Samhain Firewalls NIDSs File Integrity Verification
NIDS
Is this an attack on your server?
There is a major center of economic activity, such as Star Trek,
including the Ed Sullivan show. The former Soviet Union...
It is ix86 binary executable code!
English Shellcode, Mason et al. 2009
Rainer Wichmann The Samhain HIDS
Motivation Potential Solutions Samhain Firewalls NIDSs File Integrity Verification
NIDS
Recognizing an attack by
pattern matching is
difficult at best
Rainer Wichmann The Samhain HIDS
Motivation Potential Solutions Samhain Firewalls NIDSs File Integrity Verification
File Integrity Verification
Fingerprints are unique
Rainer Wichmann The Samhain HIDS
Motivation Potential Solutions Samhain Firewalls NIDSs File Integrity Verification
File Integrity Verification
So are cryptographic checksums
MD5 fingerprint.jpg:
6d49 6d22 f8c8 b2c7 d4ab d39e 0054 9d7a
Rainer Wichmann The Samhain HIDS
Motivation Potential Solutions Samhain Firewalls NIDSs File Integrity Verification
File Integrity Verification
Firewalls and NIDSs
are convenient, because they can be
installed at a central point
may be circumvented
Rainer Wichmann The Samhain HIDS
Motivation Potential Solutions Samhain Firewalls NIDSs File Integrity Verification
File Integrity Verification
File integrity verification
is very robust
requires monitoring of all individual hosts
Rainer Wichmann The Samhain HIDS
Motivation Potential Solutions Samhain Introduction Server Clients Beltane II
Samhain
Samhain is an open-source
Host Intrusion Detection System
(HIDS)
> with central management <
Rainer Wichmann The Samhain HIDS
Motivation Potential Solutions Samhain Introduction Server Clients Beltane II
A complete Samhain system
Rainer Wichmann The Samhain HIDS
Motivation Potential Solutions Samhain Introduction Server Clients Beltane II
What you get
Samhain provides a
centralized client-server
host monitoring system
Rainer Wichmann The Samhain HIDS
Motivation Potential Solutions Samhain Introduction Server Clients Beltane II
Samhain Host Integrity Checks
File integrity verification
Logfile monitoring
Login/logout monitoring
Hidden process detection
Open port detection
Rainer Wichmann The Samhain HIDS
Motivation Potential Solutions Samhain Introduction Server Clients Beltane II
The Samhain Server
Rainer Wichmann The Samhain HIDS
Motivation Potential Solutions Samhain Introduction Server Clients Beltane II
The Samhain Server
Stores critical data (configuration, baseline)
Authenticates connecting clients
Serves configuration and baseline data
Receives reports and logs them to a
RDBMS (MySQL, PostgreSQL, Oracle)
Rainer Wichmann The Samhain HIDS
Motivation Potential Solutions Samhain Introduction Server Clients Beltane II
The Samhain Clients
Rainer Wichmann The Samhain HIDS
Motivation Potential Solutions Samhain Introduction Server Clients Beltane II
The Samhain Clients
At startup download configuration and
baseline data from the server
Perform integrity checks as configured
Report anomalies to the server
Rainer Wichmann The Samhain HIDS
Motivation Potential Solutions Samhain Introduction Server Clients Beltane II
The Beltane II Console
Rainer Wichmann The Samhain HIDS
Motivation Potential Solutions Samhain Introduction Server Clients Beltane II
The Beltane II Console
Review reports from clients
Server-side updates of baseline data
Check client status
Edit and reload configuration data
Multiple users with different roles
Rainer Wichmann The Samhain HIDS
Motivation Potential Solutions Samhain Introduction Server Clients Beltane II
Thank you for your attention!
Rainer Wichmann The Samhain HIDS