Introduction to the stealth mode functionality an open source Host Intrusion Detection System called Samhain and analysis on how exactly it applies it in the operating system.
Exploring the Future Potential of AI-Enabled Smartphone Processors
Host Intrusion Detection like a Boss
1. C:> telnet Host.Intrusion.Detection...like.a.boss
HELO Confraria de Segurança de Informação
PRESENTATION FROM: André Lima
RCPT TO: Confraria@Forum.Picoas
WHEN 26 Nov 2014
DATA
Boa noite a todos!
.
QUIT
by André Lima,
Associate CISSP / ISO27001 / CCNA Security
@0x4ndr3
al@integrity.pt
https://www.linkedin.com/in/aflima
2. $whois andrelima
• Consultant at Integrity S.A.
• Associate Certified Information Systems Security Professional
(CISSP)
• ISO 27001 LA
• CCNA Security
• CCNP Route
• Engenharia Informática @ ISEL
0x4ndr3
al@integrity.pt
https://www.linkedin.com/in/aflima
3. $cat agenda.txt
• Context
• Intro to Samhain
• Stealth – how it works
• Stealth – installation details
• Demo
• Precautions
• Conclusions
• References
• Questions
6. $samhain -h
• Open-source multiplatform application for POSIX systems (Unix,
Linux, Cygwin/Windows)
• Supports client-server model: configuration + database files
• Provides file integrity checking and log file monitoring/analysis, as
well as rootkit detection, port monitoring, and detection of rogue
SUID executables, etc
http://www.la-samhna.de/samhain/
7. • File signatures
$samhain -h
– Inode + timestamps + owner and group permissions + number of
hardlinks + etc
• File system SUID/GUID Binaries
• Detecting kernel rootkits
• Checking for open ports
• Log file validation
• User ID (Linux Audit Daemon)
• ...
• Stealth mode!
8. $samhain –h | grep ‘Stealth Mode’
• What does it mean?
– obfuscating strings on binaries + logfile + database (XML
DB)
– configuration can be steganographically hidden in a
postscript image file
– renaming the HIDS binary (and auxiliary applications)
– Not enabled by default but advised: delete man pages
folder!
19. echo $Conclusions
• Be organized
– Know your assets
• What users are supposed to be on a specific server
• What ports must be on
• What files (config / executables) must not be altered
– Document your stealth configurations
• Be very specific about what you’re monitoring
(minimize false positives)