"Bert Gijsbers wrote:" >gt5139c@prism.gatech.edu writes: >> This is true--I presume you're talking about thing >> like average online time / week, use of various >> specialized resources (why is this person who >> usually just reads email suddenly telneting to >> hosts all over the Internet?), &c. >> >> I had the thought of changing commonly abused >> commands (ls, rm, &c.) to locally known aliases. >> The original command names are compiled programs >> which log a possible anomaly, and then run the >> aliased program. >> >> Crude--but could it be effective? >But a smart intruder likely uses his own tools >and/or replaces the system tools with his own. >So an IDS should not depend on those, but rather >combine features from netstat and ps to read the >kernel memory to know for sure what's going on. I dont think that any results of netstat or ps are reliable. For example it is very easy to change process names/id (perl $0="new name") [historical tidbit: was one of many tricks used in the internet worm, process name was changed to /bin/sh and kept forking new processes to constantly change pid]. Additionally netstat results are also not reliable, though a little more difficult to fake, a simple solution is to set up a port redirector on another system, so that all net access go to the remote system (which isn't under local control) which then get redirected to the intended host. I mentioned one way you can deal with this problem in my previous mail about enforcing computer policy. Essentially it would be desirable to register system services/resources on some signature based action. Now we can assign access controls on services, essentially only registered actions can be performed by authorized subjects. >Bert Gijsbers -- +---------------------+--------------------------------------------------+ | ____ ___ | Justin Lister ruf@cs.uow.edu.au | | | \\ /\ __\ | Center for Computer Security Research | | | |) / \_/ / |_ | Dept. Computer Science voice: 61-42-835-114 | | | _ \\ /| _/ | University of Wollongong fax: 61-42-832-807 | | |_/ \/ \_/ |_| (tm) | Computer Security a utopian dream... | | | Disclaimer: dreaming is at own risk | +---------------------+--------------------------------------------------+