Dr. Hidaia Mahmood Alassouli - Overview of Some Windows and Linux Intrusion Detection Tools

By

Dr. Hidaia Mahmood Alassouli

The paper evaluates some the security tools. Top security tools can be found in http://sectools.org/. Most important vulnerabilities in Windows and Linux can be found in www.sans.org/top20/ . The paper covers the installation and configuration of the following security tools:

• LANguard
• Nessus
• Snort
• BASE
• ACID
• Rman
• SnortCenter.
• OSSEC
• Sguil

Keywords: Vulnerability Assessment Tools, Intrusion Detection Tools, LANguard, Nessus, Snort, BASE, Rman, OSSEC, Sguil.

In this paper I will evaluate some the security tools. Among my work in this area, I found the best site that lists the security tools is http://sectools.org/. Most important vulnerabilities in Windows and Linux can be found in www.sans.org/top20/ . There is a good course that covers most of the hacking and security issues, the Certified Ethical Hacking course.

The paper covers the installation and configuration of the following security tools:

• LANguard
• Nessus
• Snort
• BASE
• Rman
• OSSEC
• Sguil

The following vulnerability assessment tools were tested in order to look for the main differences between them when scanning Linux and Windows machine:

LANguard in Microsoft Windows

Nessuss in Windows and Linux

Some other that can be tried also: Tenable NeWT , Shadow Security Scanner, Microsoft Baseline Security Analyzer.

GFI GuardLAN and Microsoft Base Line Security Scanner are mostly same. Download GFI GuardLAN from http://www.gfi.com/lannetscan/. After installation, you can start scanning any machine with the administrative privilege.

Download the nessus from http://www.nessus.org and install it.

The installation is straight forward. Download the software after registration, and install the package after providing the activation code (you shall get it through email), and the necessary plugins will be downloaded automatically upon the installation. You can use the Nessus Client that installed with the package. You can also create users, download and run NessusWX Client as its output is clearer.

Installation in Linux needs some preparation.

1- Download the latest version of Nessus from http://www.nessus.org/download/

Install it with the following command depending on your version

# rpm ivh Nessus-*.rpm

2- Create a Nessus User. At minimum, one Nessus user should be created so client utilities can log into Nessus to initiate scans and retrieve results.

# /opt/nessus/sbin/nessus-add-first-user

In the file /opt/nessus/etc/nessus/nessusd.conf there are several options that can be configured. For example, this is where the maximum number of checks and hosts being scanned at one time, the resources you want nessusd to use, and the speed at which data should be read is all specified, as well as many other options.

3- Start the Nessus service as root with the following command:

# /opt/nessus/sbin/nessusd D or # / sbin/service nessusd start

To stop Nessus

# killall nessusd

4- Depending on your subscription service, you will have received an activation code which entitles you to either the direct feed of plugins or the registered, seven-day delayed feed of plugins. Users who have downloaded Nessus from the regular download page should have received an email containing an activation code for the registered feed. Otherwise, you can go to http://www.nessus.org/register to register your Nessus scanner in order to receive a plugin activation code for the registered feed. To install the activation code, type the following command on the system running Nessus, where is the registration code that you received:

# /opt/nessus/bin/nessus-fetch -register

5- The following command is used to update the Nessus scanner with the most recent plugins:

# /opt/nessus/sbin/nessus-update-plugins

6- There is a new feature in version 3.0 where Nessus will now fetch the newest plugins on a regular basis automatically. This is done with the auto_update option located in the nessusd.conf file. The default for this option is set to yes. The option auto_update_delay determines how often Nessus will update its plugins in hours, which has a default value of 24. The plugins update will take place the set number of hours after nessusd is started and will continue every N number of hours after that. For this option to work properly, you have to make sure that the scanner has a plugin feed activation code that is correctly registered. Use the following command to verify this:

# /opt/nessus/bin/nessus-fetch --check

7- Now the Nessus server is ready to be connected to with a client. There are multiple ways to connect to the Nessus server depending on your type of system. NessusWX is a client available for Windows platforms and NessusClient is an X11/GTK GUI. Command line operation can also be used instead of a client.

8- You can download NessusClient RPM from http://www.nessus.org/download/ and install it. You can run NessusClient by executing

# NessusClient

9- Users are not required to use a client to connect to the nessusd server and run a scan. They can choose to use command line operation to do this. In order to run a scan using command line operation, you must run the scan in batch mode. To do this, use the following command:

# /opt/nessus/bin/nessus q [-pPS] >

Where, targetsfile will include the hosts that you would like to scan. The host, port are your Nessus server IP address and port number.

I tried to test the GFI LANguard Scanner on

I tried to test Nessus on

It seems that both tools provides some special type of information, so I dont want to tell which tool is better. I just advice to try both tools when checking the vulnerabilities.

You cant scan the machines behind firewall when using GFI LANguard, but Nessus can do.

In windows I tested the BlackICE for intrusion detection and prventation. I downloaded the evaluation version from www.iss.net/issEn/DLC/blackiceevaluation.jhtml. This tool is good; especially it can detect any newly installed programs or any intrusion in your host. But It cant detect intrusion in the whole network.

For Linux , I saw that Snort is good tool for intrusion detection of the whole network. But snort is not easy tool to configure, so I just looked for some graphical interface for it. Out of my search I found that BASE and the rule manager for snort can be helpful. I will show here step by step guide for installing snort, BASE and the rule manager for snort.

Snort can be configured to run in three modes: