Apparently, though unproven, at 22:45 on Friday 19 November 2010, Fatih Tümen
did opine thusly:
> Hi,
>
> I just want to beware of anything unusual instantly, preferably by
> email. This is a single or two user laptop. Here are the few I gave a
> shot:
>
> Logsentry is very simple and easy to use with its plain rule files and
> check script. It just works out of the box with almost zero
> configuration. I only had to add couple of rules and modify
> logcheck.sh according to my syslog setup. But it seems to be
> unmaintained and more importantly it is not real time. There is an
> hourly cron job shipped with the package but running it more frequent
> sounds like overdoing it.
>
> I also checked logsurfer which comes with a init script, however, no
> working configuration file and sort of confusing examples.
>
> Aide, as an intrusion detection tool, has also very simple
> configuration but it does not report in real time either. You have to
> place the example cron job to cron directory of your choice manually.
> Running it hourly loads the system every hour for couple of minutes.
> Running it daily mean knowing about the intrusion only the day after.
> I don't see the point of that, it may be too late for everything.
>
> I read somewhere that snort was the most used one. At first glance
> there are too many configuration variables. It just seems overmuch for
> what I want on my system.
>
> What I want is something like tail using inotify:
> tail -f / | mail $ME :)
>
> Seriously, are there [or is there a single] tool/s for {system,
> network, log} monitoring and intrusion detection, using inotify to
> watch and email the instant changes on a system? What do you use and
> recommend for a home pc?
>
> eix -cSz ntrusion and log monitor show what is available in portage
> but asking to share experience is a lot better than emerge-try-unmerge
> cycle. Hope you agree.
We use OSSEC (http://www.ossec.net/) at work and it seems to perform well.
Alerts are almost real-time on Linux (using inotify) and it's able to classify
log entries into some hierarchy of importance. IOW you can cherry pick the
kind of thing you want to be told about.
And if you feel like being adventurous you can write plug-ins to deal with
logs that do not already have a scanner.
I can't comment on how much work it is, as a colleague set it up and I wasn't
paying attention. I can tell you that it does come with a sane config out the
box which might not be ideal for you, but is *much* better than having nothing
at all.
It does elementary IDS as well, but that is a different beast to log analysis
(like an MTA is different to anti-spam), best handled by a different product -
something in the same class as snort for example
--
alan dot mckinnon at gmail dot com
