OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: John (johnsTAMPABAY.RR.COM)
Date: Fri Apr 06 2001 - 02:22:16 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    A few associates and I, were attempting to do the exact idea
    you described below, but had other projects and/or work so the
    project kind of faded away :/ I think a good idea would have
    been for the IDS to firewall the attacker and alert the admin.
    There are a few problems with this. If it simply detected a
    string of shellcode, that would not be efficient enough as there
    might be a occurrence of the string /bin/sh in the traffic, say
    pop traffic. I would still employ these means, but I know others
    would probably stay away from it in a production environment.

    Kevin D wrote:
    >
    > ----- Original Message -----
    > From: "Jon Gary" <jgaryCLICKTOSECURE.COM>
    >
    > > Many hackers are getting sick of
    > > giving away the "keys to the kingdom" as it were, and would rather keep
    > > the vulnerabilities to themselves.
    >
    > This is the root of the problem (no pun intended ;)
    > What I suggest is that we build IDS's to do what we human beings would do -
    > examine the system for changes, check all the logs, and report possible
    > findings to the network administrator. This "artificially intelligent" IDS
    > would obviously never be as good as having a real human being monitoring the
    > system, but it would have the advantage of being able to keep an eye on
    > everything, all the time - no human can do that.
    >
    > Let's say, for example, that a user cracks your system, and executes /bin/sh
    > as root. The IDS could take notice of this, but not necessarily report it -
    > it could just be the system administrator logging in to make changes.
    > However, the IDS then traces the IP address of the user. If the IDS finds
    > that this IP is not an approved administrator's IP, it could log off the
    > user and report to the administrator. Or, it could just log all of the
    > actions of the user, and report those to the administrator. Granted, there
    > are inherent difficulties in writing an IDS that can do what I've described,
    > but it does seem within the realm of the possible.
    >
    > Now, imagine combining this AI-type of approach with a signature-based
    > approach. However, broaden the signatures to include possible or probable
    > attacks, instead of known attacks. Your IDS could flag a possible attack,
    > and then watch the user's actions to determine if it is an actual attack. I
    > understand that the scenarios for an actual attack are countless, but system
    > admin's could write custom scenarios that pertain to their particular
    > topology.
    >
    > Does this make sense?
    >
    > Kevin