Re: *ICN - A Conspiracy of Inertia?

From: Nick Lange (nicklange@wi.rr.com)
Date: 03/20/02 

From: "Nick Lange" <nicklange@wi.rr.com>
To: "Kerberus" <kerberus@microbsd.net>
Date: Wed, 20 Mar 2002 00:16:19 -0600

Hi everyone,
Alright, this is rather amusing. I've been sitting here on my arse for a
long time now musing over apparently the same ideas. And I think others have
as well, but I'd like to check to make sure I'm on the right track here.

So their software basically is trend based IDS? That is, something [traffic
levels or content] breaks the trend beyond certain parameters and the kernel
is told to cut out said behaviour? What could be special are the equations
used to determine sketchy activity. But I doubt it. If this guy is training
based on traffic patterns what he doesn't realize is that over time the
amount of data is ENORMOUS... anyways before I take the time to write all my
thoughts down I suppose I should make sure I'm on the right track.
This really isn't a new idea, if I wasn't so damn lazy and maybe if I was a
graduate student this could have been up for debate a looong time ago
instead of someone claiming a cure all.

Cheers to anyone who has more detailed information on how this works, but
chances are it is not a cure all and the question remains to be seen if a
large scale deployment of this area of ids would be more cost effective than
paying lots of admins.

Cheers,
nick
----- Original Message -----
From: "Kerberus" <kerberus@microbsd.net>
To: "Benninghoff, John" <John.Benninghoff@Rbcdain.com>
Cc: <falcon@cybersecret.com>; <focus-ids@securityfocus.com>
Sent: Tuesday, March 19, 2002 19:21
Subject: RE: *ICN - A Conspiracy of Inertia?

> Bingo!! Ive been running this software for a couple of weeks now, and
> also watching this thread with slight amusement. After speaking with the
> founders of cylant and their technical people a couple weeks back, and
> helping to debug some of the issues ive come across i would have to say
> after a period of measurement on a mail server, and a dns server I
> tested the software and it did detect anomalous activity generated by
> myself! Though it seems to measure the activities occurring during a
> "learning" or "recording" phase. Basically there is a set of kernel
> patches located on sourceforge for linux and freebsd, also openbsd, and
> with some tweaking and rebuilding, seeing as i refused to run a kernel
> built by someone other then me, i did get the system runnning, basically
> these kernel patches add what appear to be watch points at the kernel
> level and interact with the monitoring software! overall conceptually
> its good for limited host based server ids, ie... mail dns, web and only
> after a long period of time of recording what appears to be valid
> activity. now i wonder i build a web server, load the software, let it
> run for say a week, in record mode, then put it on the wire. what are my
> results! So as to say the software does its job, but it only detects
> activity its never seen before! I guess im a bit ahead of the curve
> here. Id also like to see others results if in fact anyone else has
> tried this software.
>
> On Tue, 2002-03-19 at 17:45, Benninghoff, John wrote:
> > After some research, I found the following paper:
http://www.cylant.com/whitepapers/acsac-2001.pdf. Apparently, the technology
described in the article has made its way into Cylant's CylantSecure
(http://www.cylant.com/products/cylantsecure.html) product.
> >
> > I couldn't find much else relating to the product, but I did find a
reported vulnerability;
> > http://online.securityfocus.com/archive/1/194287
> >
> > What little I've read so far looks interesting, but I remain skeptical
of its use in real-world installations (though Cylant does offer an
evaluation copy). I certainly wouldn't classify it as a "magic bullet" that
will fix all security problems.
> >
>
>
>

Relevant Pages

  • NFS problems with through 2.5.x to 2.6.0-test9
    ... When the server is running the ... kernel, as a client the 2.6 series seem to work perfectly, excluding ... Interesting problem arose when I attempted switch the server's kernel to ... with and without nfsv4 support compiled in (was considering testing it at ...
    (Linux-Kernel)
  • [Summary] SunRay server failure
    ... SunRay Server Software 1.3 ... Kernel: panic: AutoRenewDHCP: IPA lease expired -- must restart ...
    (SunManagers)
  • IBM, AMD and Novell Team on Linux Offering for Informix Dynamic Server
    ... IBM, AMD and Novell Team on Linux Offering for Informix Dynamic Server ... code-named "Cheetah." ... The new Linux offering will combine IDS Cheetah, ...
    (comp.databases.informix)
  • Re: NFS EINVAL on open(... | O_TRUNC) on 2.6.23.9
    ... The bug (userspace server side i would say at this point) is well described from the author of an nfs-user-server patch which has not been managed yet. ... The nfs patch is of course waiting for commit since august, ... What isn't quite clear to me is whether this commit causes your user- space server to start failing suddenly, or it causes the client to start sending the special non-standard time stamps in the SETATTR request. ... it would be helpful if you could run this test with a constant kernel version on one side while varying it on the other. ...
    (Linux-Kernel)
  • RE: Linux 2.6.8-rc4 "Kernel panic: Attempted to kill init!" - af ter replacing /fadsroot
    ... In my previous e-mail I forgot to mention that on the remote NFS Linux ... I am booting with ramdisk as root filesystem server and then trying to ... PowerPC Linux Kernel Image ...
    (Linux-Kernel)