Re: so, shall we get started?

Bert Gijsbers (bertg@fwi.uva.nl)
Wed, 24 Aug 1994 16:59:54 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Patrick Horgan: "Re: so, shall we get started?"
Previous message: gt5139c@prism.gatech.edu: "Re: so, shall we get started?"
Maybe in reply to: *Hobbit*: "so, shall we get started?"
Next in thread: Patrick Horgan: "Re: so, shall we get started?"

gt5139c@prism.gatech.edu writes:
> This is true--I presume you're talking about thing
> like average online time / week, use of various
> specialized resources (why is this person who 
> usually just reads email suddenly telneting to
> hosts all over the Internet?), &c.
> 
> I had the thought of changing commonly abused
> commands (ls, rm, &c.) to locally known aliases.
> The original command names are compiled programs
> which log a possible anomaly, and then run the 
> aliased program.
> 
> Crude--but could it be effective?

But a smart intruder likely uses his own tools
and/or replaces the system tools with his own.
So an IDS should not depend on those, but rather
combine features from netstat and ps to read the
kernel memory to know for sure what's going on.

Bert Gijsbers

Next message: Patrick Horgan: "Re: so, shall we get started?"
Previous message: gt5139c@prism.gatech.edu: "Re: so, shall we get started?"
Maybe in reply to: *Hobbit*: "so, shall we get started?"
Next in thread: Patrick Horgan: "Re: so, shall we get started?"