Re: so, shall we get started?

Justin J. Lister (ruf@SPi)
Mon, 29 Aug 1994 04:44:13 +1000 (EST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: rik.harris@vifp.monash.edu.au: "Re: so, shall we get started?"
Previous message: rik.harris@vifp.monash.edu.au: "Re: lastlog stuff"
Next in thread: rik.harris@vifp.monash.edu.au: "Re: so, shall we get started?"

"Bert Gijsbers wrote:"

>gt5139c@prism.gatech.edu writes:
>> This is true--I presume you're talking about thing
>> like average online time / week, use of various
>> specialized resources (why is this person who 
>> usually just reads email suddenly telneting to
>> hosts all over the Internet?), &c.
>> 
>> I had the thought of changing commonly abused
>> commands (ls, rm, &c.) to locally known aliases.
>> The original command names are compiled programs
>> which log a possible anomaly, and then run the 
>> aliased program.
>> 
>> Crude--but could it be effective?

>But a smart intruder likely uses his own tools
>and/or replaces the system tools with his own.
>So an IDS should not depend on those, but rather
>combine features from netstat and ps to read the
>kernel memory to know for sure what's going on.

I dont think that any results of netstat or ps are reliable. For example
it is very easy to change process names/id (perl $0="new name")
[historical tidbit: was one of many tricks used in the internet worm, 
process name was changed to /bin/sh and kept forking new processes to
constantly change pid]. Additionally netstat results are also not reliable,
though a little more difficult to fake, a simple solution is to set up
a port redirector on another system, so that all net access go to the remote
system (which isn't under local control) which then get redirected to
the intended host.

I mentioned one way you can deal with this problem in my previous mail
about enforcing computer policy. Essentially it would be desirable to
register system services/resources on some signature based action. Now
we can assign access controls on services, essentially only registered
actions can be performed by authorized subjects.

>Bert Gijsbers

-- 
+---------------------+--------------------------------------------------+
|  ____       ___     | Justin Lister                 ruf@cs.uow.edu.au  |
| |    \\   /\ __\    |     Center for Computer Security Research        |
| | |) / \_/ / |_     | Dept. Computer Science      voice: 61-42-835-114 |
| |  _ \\   /| _/     | University of Wollongong      fax: 61-42-832-807 |
| |_/ \/ \_/ |_| (tm) |     Computer Security a utopian dream...         |
|                     |       Disclaimer: dreaming is at own risk        |
+---------------------+--------------------------------------------------+

Next message: rik.harris@vifp.monash.edu.au: "Re: so, shall we get started?"
Previous message: rik.harris@vifp.monash.edu.au: "Re: lastlog stuff"
Next in thread: rik.harris@vifp.monash.edu.au: "Re: so, shall we get started?"