Introduction to the stealth mode functionality an open source Host Intrusion Detection System called Samhain and analysis on how exactly it applies it in the operating system.
1. C:> telnet Host.Intrusion.Detection...like.a.boss
HELO Confraria de Segurança de Informação
PRESENTATION FROM: André Lima
RCPT TO: Confraria@Forum.Picoas
WHEN 26 Nov 2014
DATA
Boa noite a todos!
.
QUIT
by André Lima,
Associate CISSP / ISO27001 / CCNA Security
@0x4ndr3
al@integrity.pt
https://www.linkedin.com/in/aflima
2. $whois andrelima
• Consultant at Integrity S.A.
• Associate Certified Information Systems Security Professional
(CISSP)
• ISO 27001 LA
• CCNA Security
• CCNP Route
• Engenharia Informática @ ISEL
0x4ndr3
al@integrity.pt
https://www.linkedin.com/in/aflima
3. $cat agenda.txt
• Context
• Intro to Samhain
• Stealth – how it works
• Stealth – installation details
• Demo
• Precautions
• Conclusions
• References
• Questions
6. $samhain -h
• Open-source multiplatform application for POSIX systems (Unix,
Linux, Cygwin/Windows)
• Supports client-server model: configuration + database files
• Provides file integrity checking and log file monitoring/analysis, as
well as rootkit detection, port monitoring, and detection of rogue
SUID executables, etc
http://www.la-samhna.de/samhain/
7. • File signatures
$samhain -h
– Inode + timestamps + owner and group permissions + number of
hardlinks + etc
• File system SUID/GUID Binaries
• Detecting kernel rootkits
• Checking for open ports
• Log file validation
• User ID (Linux Audit Daemon)
• ...
• Stealth mode!
8. $samhain –h | grep ‘Stealth Mode’
• What does it mean?
– obfuscating strings on binaries + logfile + database (XML
DB)
– configuration can be steganographically hidden in a
postscript image file
– renaming the HIDS binary (and auxiliary applications)
– Not enabled by default but advised: delete man pages
folder!
19. echo $Conclusions
• Be organized
– Know your assets
• What users are supposed to be on a specific server
• What ports must be on
• What files (config / executables) must not be altered
– Document your stealth configurations
• Be very specific about what you’re monitoring
(minimize false positives)