Mailinglist Archive: opensuse-security (564 mails)

< Previous Next >
Re: [suse-security] Intrusion detection?
  • From: Thomas Biege <thomas@xxxxxxx>
  • Date: Fri, 5 Jan 2001 18:24:14 +0100 (CET)
  • Message-id: <Pine.LNX.4.21.0101051813110.1084-100000@xxxxxxxxxxxxxx>
On Fri, 5 Jan 2001, Sebastian Krahmer wrote:

> On Thu, 4 Jan 2001, bacano wrote:
>
> > Pakemon http://www.inas.mag.keio.ac.jp/ids/pakemon/index.html
> > Abacus Project http://www.psionic.com/abacus/
> > eye on exec http://www.cs.uni-potsdam.de/homepages/students/linuxer/ok.html
> Eh, wow, ... I forgot.
> Yes, thats good idea, coz it's from me :>
> Next holiday I hopefully find time to port it to some other
> BSD's. Also extension of the weak-path concept would be cool.
> I'd appreciate help of experianced programmer's who could
> write detection-script on top of this driver.

check out CLIPS (http://www.ghgcorp.com/clips/CLIPS.html) *g*
and not to forget Emerald's P-BEST expert system. SRI assembled
a good knowledge base, but Emerald isn't opensource and it's
limited to Solaris.

nevertheless, hostbased IDS contains more parts, then just
a syscall logger. syscall logging is a good source of
information, but w/o databases, analysis agents and
countermeasure agents, good scalability etc. it's useless in a
production environment.
A serious IDS is very complex. So, as I stated before:
All non-commercial IDS I know _suck_!

Bye,
Thomas
--
Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg
E@mail: thomas@xxxxxxx Function: Security Support & Auditing
"lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka"
Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47




< Previous Next >
Follow Ups
References