SEO
vBulletin Search Engine Optimization
| |||||||
| Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-18-2008, 08:44 AM
| ||||
| ||||
 Re: Kernel-IDS SID for OpenBSD? On Wed, Jul 05, 2006 at 04:48:25PM +0000, Steffen Wendzel wrote: > Hi, > > while searching for new Ideas for my kernel ids 'FUPIDS'[1] I posted in > 12/2003, I found a interesting kernel IDS called 'SID'[2] for linux and > solaris. > > SID is a pseudo terminal IDS that creates SHA1 values of terminal commands. > This values will be logged. A user space programm reads this logs and > compares the included values with "bad" values. > > For example if 3a3a3a3a3a would be the hash for 'cd /root' and the > userspace tool would find this string in the log file, a intrusion is > detected. > > You can also define an action for an intrusion what can be something like > a shellscript killing all the processes of an user. > > I currently thinking about an OpenBSD implementation of such an kernel-ids > including the improvement that whitespaces will be ignored. That will be > better because > > cd /root > cd/root > cd /root > > would generate the same hash value. > > but ehm ... > > If the admin has to specify rules for lots of "bad" commands, he has to > do a lot of work. If he forgets an important rule, the intrusion will not > be detected. This could be solved using default shipped rules. > > Is there any interesst for such an implementation? I ask this because I > would write the kernel code as a patch instead of a LKM in that case, > what would be easier but possibly more version dependend. > > -steffen > > > [1] http://www.doomed-reality.org/site/p...ids/index.html > [2] http://sid.sourceforge.net It should be possible to make do with a superuser-priviliged daemon, I believe, which would eliminate the need for a kernel patch (and also be quite conspicious, unfortunately, but that's easily solved by giving it an innocuous-looking name). Since you already need a userspace program to read the logs, however, this may work. Also, I'd strongly suggest providing a more convenient interface for the administrator - this could be anything from a regex-enabled parser to just sending everything typed to a device/named pipe in a well-defined and rich format - say, <tty> <time> <code>. You might also be interested in Sebek <www.honeynet.org>; I was convinced it was Linux-only when I began typing this message, but apparently, it runs on OpenBSD. It does most of what you describe. Honeynet.org is quite big, and would most likely welcome contributions for any missing features. Joachim      |
Linear Mode
