Normally I used AIDE for file verification on my systems, I would like to extend this to the router without a bunch of headaches. Im open to using an alternative IDS, any recommendations?
Are you comparing file verification to a network IDS?
Can you explain why you feel you need a file monitor on a router?
I would suggest network Intrusion Detection Systems; but perhaps I'm not sure what your monitoring in your use case.
Regarding AIDE, if you can:
- compile it, or
- connect network shares, or
- SSH File transfer
It should work.
1 Like
Are you comparing file verification to a network IDS?
No the two are completely different.
Can you explain why you feel you need a file monitor on a router?
My security model requires it
connect network shares, or
SSH File transfer
These wont fit in with the security model, and I am unable to find anything to run AIDE over SSH without having an AIDE instance compiled into the router itself.
compile it
I think this is most likely, I just wanted to know if there are any maintained packages which do file based verification without me having to bring Aide to openwrt and maintain.
Checksum on the /rom/ partition would be one way to confirm that the read-only portion has not been changed. Assuming that you've got a typical OpenWrt configuration, all changes from the ROM would appear in the /overlay/ file system.
Building AIDE as a "custom" package doesn't immediately look to be too difficult. A quick read of the README shows run-time dependency on PCRE, which should be available as a package.
https://openwrt.org/docs/guide-developer/packages is a good start -- as would be looking at another package that uses GNU-style configuration.
1 Like
re: net:IDS
i'm not sure how much overhead the mirroring feature adds, assuming it's minimal, i'd be looking at running a VM instance on your most used network HOST and passing all the complex math to it. Leaves you free to run anything you like and keeps your gateway focussed on what it does best.