RE: *ICN - A Conspiracy of Inertia?

From: Kerberus (kerberus@microbsd.net)
Date: 03/20/02 

From: Kerberus <kerberus@microbsd.net>
To: "Benninghoff, John" <John.Benninghoff@Rbcdain.com>
Date: 19 Mar 2002 20:21:40 -0500

Bingo!! Ive been running this software for a couple of weeks now, and
also watching this thread with slight amusement. After speaking with the
founders of cylant and their technical people a couple weeks back, and
helping to debug some of the issues ive come across i would have to say
after a period of measurement on a mail server, and a dns server I
tested the software and it did detect anomalous activity generated by
myself! Though it seems to measure the activities occurring during a
"learning" or "recording" phase. Basically there is a set of kernel
patches located on sourceforge for linux and freebsd, also openbsd, and
with some tweaking and rebuilding, seeing as i refused to run a kernel
built by someone other then me, i did get the system runnning, basically
these kernel patches add what appear to be watch points at the kernel
level and interact with the monitoring software! overall conceptually
its good for limited host based server ids, ie... mail dns, web and only
after a long period of time of recording what appears to be valid
activity. now i wonder i build a web server, load the software, let it
run for say a week, in record mode, then put it on the wire. what are my
results! So as to say the software does its job, but it only detects
activity its never seen before! I guess im a bit ahead of the curve
here. Id also like to see others results if in fact anyone else has
tried this software.

On Tue, 2002-03-19 at 17:45, Benninghoff, John wrote:
> After some research, I found the following paper: http://www.cylant.com/whitepapers/acsac-2001.pdf. Apparently, the technology described in the article has made its way into Cylant's CylantSecure (http://www.cylant.com/products/cylantsecure.html) product.
>
> I couldn't find much else relating to the product, but I did find a reported vulnerability;
> http://online.securityfocus.com/archive/1/194287
>
> What little I've read so far looks interesting, but I remain skeptical of its use in real-world installations (though Cylant does offer an evaluation copy). I certainly wouldn't classify it as a "magic bullet" that will fix all security problems.
>

Relevant Pages

  • Re: A fixed kernel.
    ... NFS and rhgb problems are fixed. ... So, I installed 2111 into my file server, web server and mail server. ... saw with the 2107 kernel. ...
    (Fedora)
  • Re: A fixed kernel.
    ... NFS and rhgb problems are fixed. ... So, I installed 2111 into my file server, web server and mail server. ... saw with the 2107 kernel. ...
    (Fedora)
  • NFS problems with through 2.5.x to 2.6.0-test9
    ... When the server is running the ... kernel, as a client the 2.6 series seem to work perfectly, excluding ... Interesting problem arose when I attempted switch the server's kernel to ... with and without nfsv4 support compiled in (was considering testing it at ...
    (Linux-Kernel)
  • [Summary] SunRay server failure
    ... SunRay Server Software 1.3 ... Kernel: panic: AutoRenewDHCP: IPA lease expired -- must restart ...
    (SunManagers)
  • Re: NFS EINVAL on open(... | O_TRUNC) on 2.6.23.9
    ... The bug (userspace server side i would say at this point) is well described from the author of an nfs-user-server patch which has not been managed yet. ... The nfs patch is of course waiting for commit since august, ... What isn't quite clear to me is whether this commit causes your user- space server to start failing suddenly, or it causes the client to start sending the special non-standard time stamps in the SETATTR request. ... it would be helpful if you could run this test with a constant kernel version on one side while varying it on the other. ...
    (Linux-Kernel)