Policy Design Tips and LIDS Best Practices
Halo provides you with three built-in example log-based intrusion detection policy templates, one for RPM-style Linux, one for Debian-style Linux, and and one for Windows. You can use the templates as examples or starting points from which to develop policies, or you can create your own policies from scratch.
In designing or customizing your policies, keep these concepts in mind:
- Log-based intrusion detection is designed to scan log files and detect and identify strong indicators of compromise. It is not useful for collecting large numbers of non-critical events.
- Design your policy to identify events that indicate that a real security violation might have occurred, and avoid "noisy" events that do not need to be investigated. Careful design of your search patterns can go a long way toward eliminating unimportant events.
- The search expression in a rule can be the exact text you are looking for, or it can be an expression with a syntax similar to that used in regular expressions. See Search Expression Syntax in the Halo Operations Guide for a complete description and examples of the supported syntax.
- Remember that searches of the log files are case-sensitive. For example, if the phrase "Event Channel" appears in your search expression, you must capitalize it correctly or it will not be found.
- Select the Alert checkbox only for the highest-priority events that must be dealt with immediately. Overwhelming your email inbox with non-time-critical events will only make it more difficult to identify and deal with the truly high-priority ones. You can always review all detected events (both alertable and non-alertable) in the Halo Portal.
- Clear the Active flag for a rule if you want to temporarily disable it but not delete it permanently.
- For a Windows Event Channel-based rule, you select the Event Channel name from a drop-down list that includes all accepted channels. The most common Event Channel names are "Security", "Application", and "System".
- Windows Event Channel-based policy rules use the search expression differently than do Windows or Linux text-based rules. In a text-based rule, the search expression is the only means for identifying the desired event. In an Event Channel rule, the event ID is sufficient to identify the event, meaning that the search expression is not required. However, the expression can be very useful for further filtering events of that ID to, for example, include only a specific user, group, IP address, and so on.
Use Effective Search Patterns
The following examples from the built-in policy templates illustrate how you can use search patterns effectively to fine-tune the events reported.
- Authentication failure for root. This Linux rule detects failed root logins in the file
var/log/auth.log. The search expression is "Failed password for root", which will match on a login failure of any user with root privileges.
- Password reset on Administrator. This Windows Event Channel rule detects a password change for the Administrator user on a host. The Event Channel ID (4724) specifies that it is a password reset event, and the search expression "TargetUserName.>Administrator" will match the portion of the XML event text that identifies the user, when the user name is "Administrator".
Use Log Prefixes for Firewall Events
Halo Linux firewall policies include a feature that can greatly aid in fine-grained detection of firewall events. For each rule in a firewall policy, you can specify a log prefix, a text string that will be appended to the beginning of the event message that is logged whenever that firewall rule is matched. (Logging for that rule must be enabled, or else there will be no event for the prefix to be appended to.)
Craft each log prefix to uniquely identify the particular rule whose match you want to be detected when Halo scans the firewall log file. For example, suppose you add the prefix "Inbound Drop:" to the inbound default-drop rule in your firewall policy, and you add the prefix "Outbound Drop:" to the outbound default-drop rule:
If either of the default-drop rules is executed, its prefix appears in the logged event message:
Note: For improved readability in the log entry, you may wish to visually separate the prefix from the rest of the log message. In that case, include a trailing space at the end of the prefix so that its last word doesn't run into the first word of the message.
Finally, define a pair of log-based intrusion detection policy rules that will match the log prefixes:
Your log-based intrusion detection scans of the firewall log file will then easily pick up any inbound or outbound default-drop events, without the need for you to create potentially highly complicated regular-expression search patterns.
See Create and Assign a Firewall Policy in Managing Workload Firewalls with CloudPassage Halo for more details on creating the components of firewall policy rules, including log prefixes.
// <![CDATA[ var pdfTitle="Log-Based Intrusion Detection"; var pdfURL="http://www.cloudpassage.com/document_images/LIDS/using-LIDS.pdf"; specifyPDF(pdfTitle, pdfURL); // ]]>