IDS mailing list archives
Re: Application level IDS?
From: Dug Song <dugsong () monkey org>
Date: Thu, 19 Jun 2003 10:42:51 -0400
On Wed, Jun 18, 2003 at 09:26:19PM -0400, Eric Greenberg wrote:
Or if there were a profile of the application (a dynamically developed sandbox "profile") and an application stepped out of those bounds, a system could perhaps detect it. I tend to think of it as an operating system level function in an ideal world. No doubt though, application-level IDS's nearly become operating system overlays.
systrace allows you to interactively (or automatically) permit/deny syscall-level rules per application (or for all child processes). it already ships with OpenBSD and NetBSD, and has been ported to Linux and MacOS X. a Solaris port would be most welcome. see http://www.systrace.org/ for details... -d. --- http://www.monkey.org/~dugsong/ ------------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com -------------------------------------------------------------------------------
Current thread:
- Application level IDS? Smokey Lonesome (Jun 18)
- Re: Application level IDS? Ali-Reza Anghaie (Jun 19)
- RE: Application level IDS? Eric Greenberg (Jun 19)
- Re: Application level IDS? Dug Song (Jun 19)
- RE: Application level IDS? Drew Copley (Jun 22)
- Re: Application level IDS? Dug Song (Jun 19)
- RE: Application level IDS? Fergus Brooks (Jun 19)
- Re: Application level IDS? K. K. Mookhey (Jun 19)
- <Possible follow-ups>
- RE: Application level IDS? adam.w.hogan (Jun 19)