IDS mailing list archives
Re: Need some information on HIDS!
From: "SecurIT Informatique Inc." <securit () iquebec com>
Date: Fri, 04 Mar 2005 09:28:34 -0500
At 10:43 PM 01/03/2005, Frank Knobbe wrote:
On Mon, 2005-02-28 at 13:48 -0500, SecurIT Informatique Inc. wrote: > Hello. I have already invoked such a scenario in some of my previous IDS > work/articles. What I had in mind is something like encrypting the whole> network traffic, to prevent sniffing from intruders (let's say wall-to-wall> SSH, for example). In such an environment, if you still wanted to keep> some NIDS capabilities, you'd actually have to install NIDS software (Snort > comes to mind) on every host on the network, in non-promiscuous mode (since > sniffing the rest of the network traffic is useless, since it is encrypted).Non-promiscuous mode shouldn't matter. If you sniff on the network interface, you are still only sniffing encrypted traffic. The only way I can see this work, which may be the direction you're heading and what you are proposing here, is to sniff traffic on the loop-back adapter.
I have not implemented this, so in my mind it is still theoretical, but what I had in mind is that sniffing local data should be done in the IP stack after it's been dealt with by the encryption layer. This is what I had in mind with "non-promiscuous", since the local IP stack will be unable to decrypt the traffic not pertaining to it. Maybe SSH was not the best example, but I think you got the idea.
(snip) But since you are already on the host, why not monitor syscalls and applications directly?
That's what I'm currently doing/planning to do with some of my own software. The suggested setup I mentionned here was in relation to the original question in this list.
Adam
Cheers, Frank
-- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 266.5.7 - Release Date: 01/03/2005 -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
Current thread:
- Need some information on HIDS! peng xuena (Feb 28)
- Re: Need some information on HIDS! SecurIT Informatique Inc. (Mar 01)
- Re: Need some information on HIDS! Frank Knobbe (Mar 02)
- Re: Need some information on HIDS! SecurIT Informatique Inc. (Mar 06)
- Re: Need some information on HIDS! Frank Knobbe (Mar 02)
- <Possible follow-ups>
- RE: Need some information on HIDS! Ofer Shezaf (Mar 16)
- Re: Need some information on HIDS! SecurIT Informatique Inc. (Mar 01)