Re: RFC: Intrusion Scenario archive/repository
tlunt@ARPA.MIL
Fri, 2 Dec 1994 09:03:10 -0500 (EST)
Folks,
I would think that if there is sufficient interest in creating and
maintaining such a repository, so that developers of intrusion detection
systems can have high confidence that the information is correct and
relatively complete, that you might consider formulating this as a
project to propose to some funding source, especially if you also propose
to provide the information in a "safe" way (perhaps on an offline subscription
basis so you know who you are sending it to) to the intrusion detection
developers (and perhaps also users), and you work with CERT or ASSIST or
one of those clearinghouses who collects all this information anyway,
and you formulate the results into rules that are suitable for direct
inclusion into those systems. This would have the obvious benefit that
the developers don't have to duplicate each others' work, and will mean
that a user of an intrusion detection system doesn't have to be a expert
in intrusion techniques or system vulnerabilities.
As for normal behavior, Calvin Ko at UC Davis is putting together some
rules that encode the normal expected behavior of privileged Unix programs
so you can detect departures from those norms.
Teresa
==============
> Will you start this, maintain a listserv, or summurize on ids?
I think it could be an adjunct to this list, but first things
first. It must be determined that there is sufficient support for an
undertaking like this. For one person it could easily be a full time
job, but with a large group of persons (such as the members of this
mailing list) contributing on an on-going basis someone might be able
to manage it in their "spare time". @|:-)
Second, if the support is there, then move on to questions of
"how" it might be done.
Thanks for your comments.
Jim Truitt