Re: new intrusion detection system

• Previous message: Tomas Pluskal: "Re: new intrusion detection system"
• In reply to: Tomas Pluskal: "new intrusion detection system"
• Next in thread: Devon H. O'Dell: "Re: new intrusion detection system"
• Reply: Devon H. O'Dell: "Re: new intrusion detection system"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 19 Oct 2004 17:43:43 -0400
To: Tomas Pluskal <plusik@pohoda.cz>

Very interesting stuff. Certainly worth more investigation.

Something occurred to me while I read your thesis. Though maybe it was
worth a mention. The TTL (time to live) could potentially cause the IDS
module to be easily beaten. An attack could begin and immediately go
into a sleep state with the intent to expire the TTL. Later resuming
with it's actions going unnoticed.

I hope to see more on this. I think it is a very creative and useful
idea.

Thanks,
Brian

On Oct 19, 2004, at 7:36 AM, Tomas Pluskal wrote:

>
> Hello to all,
>
> I have implemented a new type of intrusion detection system for my
> Master thesis. I would like to announce this information, in case
> anyone would be interested in this research.
>
> The IDS system is designed as a kernel module for FreeBSD 5.2. It is
> inspired by the SpamAssassin program, which detects spam by applying a
> set of tests to every email message and counting a sum of point score
> generated by each test. My IDS system applies a set of tests to every
> running process in the OS and counts its score generated by the tests.
> Therefore, the purpose of the IDS is not to monitor the network
> traffic, but rather to monitor the process activity.
>
> The current system status is a "working prototype" - it is not ready
> for production usage, but it may serve as a good base for an
> interesting research.
>
> If you are interested in this topic, please read the details here:
> http://plusik.pohoda.cz/thesis/
>
> Thanks,
>
> Tomas
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
> "freebsd-security-unsubscribe@freebsd.org"
>

_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

• Previous message: Tomas Pluskal: "Re: new intrusion detection system"
• In reply to: Tomas Pluskal: "new intrusion detection system"
• Next in thread: Devon H. O'Dell: "Re: new intrusion detection system"
• Reply: Devon H. O'Dell: "Re: new intrusion detection system"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: new intrusion detection system ... Certainly worth more investigation. ... The TTL could potentially cause the IDS ... > The IDS system is designed as a kernel module for FreeBSD 5.2. ... To unsubscribe, ... (freebsd-hackers) Re: new intrusion detection system ... Brian Barto wrote: ... Certainly worth more investigation. ... The TTL could potentially cause the IDS ... practical environments. ... (FreeBSD-Security) Re: new intrusion detection system ... Brian Barto wrote: ... Certainly worth more investigation. ... The TTL could potentially cause the IDS ... practical environments. ... (freebsd-hackers)