Intrusion detection systems (IDS) have come a long way since their humble beginnings in the mid-1990s. While much of the Open Source environment has taken to Snort, a new player may be coming into focus that will change the way that IDSes work.
One of the primary criticisms against IDSes is that they tend to be unique to their environment. They are either exclusively network-based or host-based. Rarely do we see both in the form of a Hybrid IDS. Prelude IDS, released in 2002/2003, is the first Open Source Hybrid IDS.
Rather than simply create another NIDS (network-based intrusion detection system), the creators of the Prelude project felt that an IDS that pays attention to system activity as well as network activity would offer better results to administrators over larger networks. And certainly, it makes for ease of control when there is a single console to manage various IDS sensors.
The basics behind the Prelude system include the Prelude Library (libprelude), sensors, managers (basically consoles within the environment), counter measure agents (actions that can be used to stop malicious activity) and the front end. Prelude is still in its infancy, but even this pre-1.0 product has a lot to offer a network security administrator.
This particular Open Source IDS, at the time of writing, is available for most Linux, OpenBSD, FreeBSD (the author’s testing was done on this platform), NetBSD, Sun/Solaris and MacOS X. Sorry Windows enthusiasts; there is little indication that a Win 32 port is in the works. The reasoning behind this seems lie in keeping the CPU and network footprint of the IDS small. This is evident in my testing of the IDS on a meager Pentium 100 with 64MB of RAM.
Because of this companies do not have to spend enormous amounts of cash on hardware to support a decent IDS for their network. Too many software manufacturers are adding too much “dazzle” at the expense of raw computing power.
Another advantage of the Prelude IDS is its capability to understand other IDS rule sets. This means that if you are transitioning from one IDS to Prelude you can use your existing rule set and not have to start from scratch. Added to this is the capability of the IDS to search out Managers if the designate Manager is unavailable (perhaps due to a DoS, hardware failure, and so on.). If none of the other designate Managers are available to receive an alert, the IDS holds on to the alert until such time that it can forward it appropriately.
The Sensor itself is certainly outfitted with the standard stuff. It has a network detection engine, but what it adds is a “Linux-only” library (which might be why a Win32 version hasn’t been seen yet) that should detect buffer overflows in systems and protect them from attack.
This particular activity is done through the Polymorphic Shell Code Detection Plugin, which is a nice default feature to have available. It also employs many of the “standards” like Scan detections and arpspoof detection. Add to that data normalizers to deal with any attempts to evade detection through the use of Unicode characters and you have the foundation of a solid IDS.
One of the default features I was particularly impressed with was that Prelude started as a hidden IDS. That is, it performed its detection duties without attaching to an IP address. This, in turn, means that it will be harder for the attacker to figure out where the IDS is located while extending better control over the network to a security administrator. In addition, I don’t have to make changes as it defaults to this configuration from startup. You actually have to tell Prelude if you want it to listen to a specific NIC.
Prelude was fairly easy to set up in its default configuration. You know it’s working from the “heartbeat” it leaves in the logs. You can also easily test it with a simple TCP_Connect() scan from NMAP. Much like any IDS, it will light up like a proverbial Christmas tree.
The one difficulty I’ve found has been the front-end. At present, the only front-end that seems supported is PIWI perl-based. This, in the author’s view, is a bit of a downside but one that I suspect will change as Prelude matures over time. At one point there was a PHP front-end, but there were difficulties in it that made it somewhat unusable.
All of the features I’ve mentioned are only the tip of what Prelude offers. There certainly is far more to it than what was possible to cover in this article. I would recommend Prelude as a new form of IDS for large LANs and perhaps even Internet traffic. It seems willing to take on the challenge in the Enterprise environment even in its early stages of development.
Prelude IDS can be downloaded from http://www.prelude-ids.org.
Feature courtesy of Enterprise IT Planet.
