Re: HIDS - new technologies ?

From: roy lo (roylo@sr2c.com)
Date: 07/12/02

• Previous message: Martin Tomasek: "Re: HIDS - new technologies ?"
• In reply to: Kunal Rupera: "HIDS - new technologies ?"
• Next in thread: Muhammad Faisal Rauf Danka: "Re: HIDS - new technologies ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 11 Jul 2002 19:05:11 -0700
From: roy lo <roylo@sr2c.com>
To: kunal@geosofttech.net

One of my old friend has done a Linux kernel module to intercept various
system calls back a few years ago while we were in college.

http://www.dhanjani.com/

And I think LIDS (http://www.lids.org/) does something in a similar way
(not sure about it)

One thing for sure is that HIDS based on system calls has been around
for awhile. (it ain't new at all)

Kunal Rupera wrote:
> Hello everyone ..!
> Currently host based intrusion detection systems usually consists of programs like Sentinel or Tripwire which do file integrity checks using various checksumming algorithms. Now there are some new upcoming technologies like HIDS based on system calls.
> http://imsafe.sourceforge.net/ <---- to quote a very crude example.. something on these lines but not exactly the way imsafe functions. Now would it be possible to make a HIDS that is based on system calls? . to site a example, most windows based anti viral programs hook the I/O calls and do not let a infected.exe get executed. so would it be possible to write a program which monitors for executable files and when one is executed, checks if it contains "bad" signatures and allows or prevents that executable file from getting executed? . {this applies to *nix platforms} so that exploits (mostly local root buffer overflows) can be prevented from running? .. ofcourse such HIDS systems would have the limitations that most NIDS systems have eg. encrypted payload to site one of them... etc.. but wont it be effective for most cases?
> Views/Flames/Ideas/Help/Links/Discussions. all welcome... :)..
>
> Kunal
> Unix System Administrator
> Sun Certified Solaris Administrator
>

-- 
Roy Lo
Freelance Consultant
E-mail -  roylo@sr2c.com
Sun Certified Network Administrator for Solaris 8 (SCNA)
Sun Certified System Administrator for Solaris 8 (SCSA)
Cisco Certified Network Associate 2.0 (CCNA)

---

• Previous message: Martin Tomasek: "Re: HIDS - new technologies ?"
• In reply to: Kunal Rupera: "HIDS - new technologies ?"
• Next in thread: Muhammad Faisal Rauf Danka: "Re: HIDS - new technologies ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Certification ... Solaris 8 System Administrator 310-011: ... File Systems, Files, and ... disk for file storage through its file systems. ... (comp.unix.solaris) Re: Newbie questions ... >I am a Linux user, and I'd like to study Solaris and get a ... is Solaris suitable for self teaching? ... how long will it take me to reach the certification level ... give a solid foundation to becoming an excellent system administrator in the ... (comp.unix.solaris) Re: Book reccomendation for Solaris 10 certification. ... UNIX System Administrator to prepare for the Solaris 10 exams. ... for someone who would like to gain practical knowledge of Solaris 10 ... The book also suffers from mediocre editing and proof reading. ... (comp.unix.solaris) Re: Ima Well Versed UNIX User But This Baffles Me: ... I am a system administrator by trade. ... Mostly IRIX and Solaris, ... (comp.sys.sgi.admin)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > focus-ids  > 2002-07