Re: so, shall we get started?
rik.harris@vifp.monash.edu.au
Mon, 29 Aug 1994 08:45:06 +1000
Justin Lister wrote:
> "Bert Gijsbers wrote:"
>
> >gt5139c@prism.gatech.edu writes:
> >> This is true--I presume you're talking about thing
> >> like average online time / week, use of various
> >> specialized resources (why is this person who
> >> usually just reads email suddenly telneting to
> >> hosts all over the Internet?), &c.
> >>
> >> I had the thought of changing commonly abused
> >> commands (ls, rm, &c.) to locally known aliases.
> >> The original command names are compiled programs
> >> which log a possible anomaly, and then run the
> >> aliased program.
> >>
> >> Crude--but could it be effective?
>
> >But a smart intruder likely uses his own tools
> >and/or replaces the system tools with his own.
> >So an IDS should not depend on those, but rather
> >combine features from netstat and ps to read the
> >kernel memory to know for sure what's going on.
>
> I dont think that any results of netstat or ps are reliable. For example
> it is very easy to change process names/id (perl $0="new name")
It doesn't negate your other comments, but the -c option to ps prints
the name "as stored internally", I assume from the PCB, which a normal
user can't modify.
rik.
--
The Fulcrum Consulting Group o
------------------------------------------------------------------------------
Rik Harris - rik.harris@fulcrum.com.au +61 3 621-2100 (BH) /\
12th Floor, 10-16 Queen St. Melbourne VIC 3000. +61 3 621-2724 (Fax)