Re: Looking for Host Based IDS

From: Martin Tomasek (mtd@mk.cvut.cz)
Date: 12/23/01


Date: Sun, 23 Dec 2001 00:04:55 +0100
From: Martin Tomasek <mtd@mk.cvut.cz>
To: focus-ids@securityfocus.com


Oliver Petruzel wrote:

.
.
.

> The key in deciding your HIDS is in the decision to move toward a
> heuristic or prventative product, or continuing to monitor (fulltime!
> Ack!) the same old log-mining, or signature-based products. The future
> in HIDS is truly with PROACTIVE PREVENTION. That said, Entercept,
> Okena, and Dragon are all a step in the right direction. Each can
> rightfully claim to have prevented known exploits BEFORE they were even
> known... Most of the solutions mentioned thus far during the thread do
> not meet my standards for a "next generation HIDS" and do nothing but
> increase staffing requirments and workload...

.
.
.

> (on a side note, please switch ur sunos/solaris 8 to Trusted Solaris
> won't ya? Sheesh... Ever heard of SecureLinux?... Ok, maybe later...)
>

you post this as a reply to sasha's post about medusa, so I'll write
some more info on it here:

medusa -- linux kernel security patch with userspace authorisation
daemon. fully configurable. primarily designed to harden normal linux
security model. medusa can be set to watch for reading/writing/... some files
or using syscalls with some parameters, and, as a result you can for example
log all following process actions or change its privileges or kill it.

if you pass logs through for example logcheck, you have proactive HIDS
with minimal efford.

-- 
Martin Tomasek
mtd at email dot cz, pgp/gnupg encrypted mail preferred. keyid 27B7AEAA,
key fingerprint F973 61D2 F062 D789 CEBE DFF8 CD62 AA1A 27B7 AEAA