Re: Recording slow scans

[Crispin Cowan <crispin () cse ogi edu>]

Darren Reed wrote:

> What I suspect a few people would like to see is a "FWTK-like" set
> of programs which Security Consultant Joe Bloggs can rip off and
> build back-yard IDS's from to sell to unsuspecting companies.  I'm
> not acusing you of that but I doubt I'd hear anyone complain (except
> maybe those at NFR/ISS, etc).

You say THAT as if it were a bad thing.

I don't see a whole lot of open-source IDS-ware floating around.  On the
other hand, there is a lot of commercial, closed-source IDS products out
there.  If there was an IDS toolkit, then open source coders could write
cleaver new instruments, finte tune stuff, debug stuff, contribute
enhancements back into the community ... you know, that cool stuff that
open-source people tend to do if you let them.

This kind of open source development model seems particularly well-suited to
the IDS problem, where you have the following characteristics:

   * Needs lots of fine-tuning:  many hands can do that in parallel
   * Data-dependent: different people have access to different data sources
   * Different information streams:  IDS instruments can be inserted in lots
     of places, if they can find a convenient fire-alarm to pull

An IDS-TK seems like a very fine thing indeed.  Is there one?

> Couple of problems here...
> (1) potential loss of revenue for X companies which make IDS products;

That's usually a problem with open source software :-)


> (2) significant kernel bloat and subsequent requirements for machines;

True ... so make the IDS enhancement modular, so it can be left out.


> (3) all IDS solutions are part-kernel, part-user programs;

Counter-example:  Tripwire.  Slow IDS, no kernel mods required.

Crispin
-----
 Crispin Cowan, Research Assistant Professor of Computer Science, OGI
    NEW:  Protect Your Linux Host with StackGuard'd Programs  :FREE
       http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/

                 Support Justice:  Boycott Windows 98