Re: Summury of some IDS tools capabilities
Aziz MOUNJI (amo@info.fundp.ac.be)
Thu, 21 Sep 1995 10:09:33 +0200
This is a description of the ASAX (Advanced Security audit trail
Analysis on uniX) system. There exist now two versions of ASAX:
a single host audit trail analysis version and a distributed
audit trail analysis version. I describe here the features of
each version.
1. SINGLE HOST AUDIT TRAIL ANALYSIS
Universality:
-------------
Is addressed thanks to the normalized audit file format (NADF).
This NADF format is universal in the sense that we believe that
all existing (and future) audit trails can be translated into it
in a sufficiently straightforward way. Audit trail analysis is
performed on normalized audit trails only. In addition, so-called
Format Adaptors will be provided to translate native audit trails
into normalized format. We have so far developed Format Adaptors
for SunOS 4.1.1, BS2000 and SINIX. A generic Format Adaptor is under
study.
Power:
------
Is provided by the language RUSSEL (RUle-baSed and Sequence Evaluation
Language) allowing to express complex selection criteria dealing with
arbitrary long sequences of records but also allowing to sequentially
process the file *from left to right*. This last feature is of course
mandatory to ensure efficiency as the amount of data to be processed
is very huge. The basic principle is that the information about the past
will be stored in a set of active evaluation rules that will be used to
analyse the next audit record. Those rules will also possibly trigger
off new rules for the analysis of the rest. RUSSEL is tailor-made to
audit trail analysis problem.
Efficiency:
----------
Is achieved on the one hand by the very principle of the rule-based
language allowing to process each record only once and, on the other
hand, by efficient implementation techniques. In addition, ASAX is an
on-line system.
2. DISTRIBUTED AUDIT TRAIL ANALYSIS
This system is a distributed on-line system capable of performing
efficient, intelligent and network-level analysis of security audit
trails in a network of SUN workstations. The distributed system is
in fact an extension of the SINGLE HOSTS AUDIT TRAIL ANALYSIS system
outlined above.
At the network level, the system consists of one central or master machine
and one or more slave machines. Slave machines analyze their local audit
trails and send the filtered audit records to the master machine which
then performs a more intelligent analysis. The filtering of audit data at
each node have all of the features of the HOSTS AUDIT TRAIL ANALYSIS.
AVAILABILITY:
-------------
These two systems are prototype versions. At present, only the HOSTS AUDIT
TRAIL ANALYSIS is publically available from the following sites:
ftp.info.fundp.ac.be:/pub/projects/asax
ftp://ftp.info.fundp.ac.be/pub/projects/asax
ftp://www.info.fundp.ac.be/~amo
ftp://coast.cs.purdue.edu/pub/tools/unix/asax
All reports and conference papers are included in the above archives. (See
FILES AND DIRECTORIES section of the Readme file.)
I am now using the idea behind Kuang (part of COPS) to make ASAX assess
the file protection of security sensitive files ON-LINE. As soon as a
vulnerability is found, it is reported (obvious) AND rules are triggered
automatically to watch for attacks exploiting them. This makes the system
predictive. Furtheremore, we are developping a (rule-based) language
to express how file protections can be exploited. In Kuang, these rules
were hard-coded.
Collaboration is welcome.
Aziz-
--------------------------+-------------------------------------
| Abdelaziz Mounji | amo@info.fundp.ac.be |
| ASAX project | http://www.info.fundp.ac.be/~amo |
| Institut d'Informatique | voice: +32 81 724987 |
| University of Namur | Fax : +32 81 724967 |
----------------------------------------------------------------