IDS mailing list archives
Re: Host Based IDS Recommendations
From: Krzysztof Zaraska <kzaraska () student uci agh edu pl>
Date: Thu, 25 Dec 2003 16:21:37 +0100 (CET)
On Sat, 20 Dec 2003, Maarten Van Horenbeeck wrote:
While a different approach, many host-based Intrusion Prevention Systems also generate an important deal of logging which is extremely useful from an HID point of view. On many systems, I tend to run software such as the grsecurity patches (on Linux kernels), which can be configured in such a way to log a syslog event on somewhat suspicious traffic. An example: Dec 3 05:05:11 shiva kernel: grsec: attempted resource overstep by requesting 1024 for RLIMIT_NOFILE against limit 1024 by (initlog:27874) UID(0) EUID(0), parent (S55sshd:15305) UID(0) EUID(0) You will have to write some custom log parsers yourself, and develop a secure log transportation mechanism, as syslog may become unreliable immediately after compromise, before these log entries are actually of use.
No need to reinvent the wheel, as that's an exact description of the functionality we've had in Prelude for almost two years now :-) Prelude LML can parse logs basing on regexp-based rulesets (grsec ruleset written by grsec author himself), create messages in common format and send them over an SSL'd link to a remote host. Oh, and it can run as syslog server as well, not only read the local files... // Krzysztof Zaraska * kzaraska (at) student.uci.agh.edu.pl // http://mops.uci.agh.edu.pl/~kzaraska/ * http://www.prelude-ids.org/ // A dream will always triumph over reality, once it is given the chance. // -- Stanislaw Lem --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- RE: Host Based IDS Recommendations mbateman (Dec 18)
- <Possible follow-ups>
- Re: Host Based IDS Recommendations Maarten Van Horenbeeck (Dec 22)
- Re: Host Based IDS Recommendations Krzysztof Zaraska (Dec 29)