Justin Lister wrote: > "Bert Gijsbers wrote:" > > >gt5139c@prism.gatech.edu writes: > >> This is true--I presume you're talking about thing > >> like average online time / week, use of various > >> specialized resources (why is this person who > >> usually just reads email suddenly telneting to > >> hosts all over the Internet?), &c. > >> > >> I had the thought of changing commonly abused > >> commands (ls, rm, &c.) to locally known aliases. > >> The original command names are compiled programs > >> which log a possible anomaly, and then run the > >> aliased program. > >> > >> Crude--but could it be effective? > > >But a smart intruder likely uses his own tools > >and/or replaces the system tools with his own. > >So an IDS should not depend on those, but rather > >combine features from netstat and ps to read the > >kernel memory to know for sure what's going on. > > I dont think that any results of netstat or ps are reliable. For example > it is very easy to change process names/id (perl $0="new name") It doesn't negate your other comments, but the -c option to ps prints the name "as stored internally", I assume from the PCB, which a normal user can't modify. rik. -- The Fulcrum Consulting Group o ------------------------------------------------------------------------------ Rik Harris - rik.harris@fulcrum.com.au +61 3 621-2100 (BH) /\ 12th Floor, 10-16 Queen St. Melbourne VIC 3000. +61 3 621-2724 (Fax)