Leveraging LIDS – logs and lots more

eddie beuerlein / 10.19.17

When it comes to a Log-Based Intrusion Detection System (or LIDS), there’s a lot you can leverage. LIDS is a useful cross-platform, tactical, and supplemental (if you have an existing SIEM) pattern matching system. You can use LIDS to set the criticality of each event within a policy, while also using alert profiles to notify the right teams of when an event occurs. And the best part? How easy it is to set up LIDS within the CloudPassage Halo platform.

So let’s walk through the steps of how you can best take advantage of LIDs.  

You can quickly start by using LIDS within the provided CloudPassage Halo policy templates.

1-Policies-list

Simply find the policy list under your policy tab in the upper right corner of your Halo portal, click on the templates tab, and filter by policy type – which would LIDS and your OS (Linux or Windows).

2-templates-filter

From there simply right-click on template name and select clone.

3-rt-click-clone

Below is an example of a cloned Linux template. Once you’ve cloned the template into a policy, you can remove existing rules, create new rules and change whether or not a rule is critical.

4-example-linux

As you can see from our example, the basic templates for both Linux and Windows cover many common use cases for LIDS including:

  • User account addition, modification and deletion
  • Unauthorized escalation of privilege such as failed sudo/su attempts, failed root or administrator login, failed root or administrator credentials change, and having user rights assigned or revoked
  • Potential network-based compromise such as brute-force attempts, network interface change to promiscuous mode, SYN flooding, and certificate errors
  • Software package installation and removal
  • Logging facility changes and potential log modifications

So what else can you do?

Once your LIDS is all set up, you can use it to monitor your own custom application’s files. Meaning LIDS can monitor any log file in any directory on your system.

On Windows systems, you can look for any Windows event ID. Combine this with a regular expression in the string search field to narrow down the information you wish to alert on. For example, you might want to set up an alert for password changes only on the Administrator user, so you’d want to monitor event ID 4723 (“An attempt was made to change an account’s password”) and then look for the string “Account Name\: Administrator” in the search expression field.

Some events you may be monitoring for with CSM checks might be urgent enough to use a LIDS rule for instead because LIDS is lighter-weight and runs every five minutes. For example, you can create LIDS rules that would alert you if a critical service is stopped or a critical package is uninstalled.

You can also specify files to monitor for credit card numbers. Credit card text log rules (at the bottom of each policy) use the Luhn algorithm to test the validity of potential credit card numbers, reducing false positives.

As you can see, there’s a wealth of useful ways to take advantage of LIDS depending on your organization’s unique needs. Which is why we’ve continued to ensure that CloudPassage Halo is easy-to-use and customizable. Happy filtering!