Re: Rooted

From: Bit Twister (BitTwister@localhost.localdomain)
Date: 04/21/03


From: Bit Twister <BitTwister@localhost.localdomain>
Date: Mon, 21 Apr 2003 00:33:34 GMT

On Sun, 20 Apr 2003 23:16:03 GMT, notbob wrote:
>
> I once began reading an article on using cvs as an IDS. I've since
> lost it. Do you have any leads where I might find it?

Why sure,http://www.google.com cvs ids group:*linux* in the search box
Results 1 - 10 of about 87,400. Search took 0.19 seconds.

What a question :) Your turn, what color am I thinking about?

> Also, what's your opinion of snare?
>
> http://www.intersectalliance.com/projects/Snare/

Could not say. Never looked at the source code.

The conversation was about the fact that you cannot use
tools running on a cracked box to figure out that your cracked.

Snare is a loadable module. IE you can unload it, and load your
own copy. In the end it boils down to the human. Look at the talent
in operations and what can happen.

You crack a box, and install a rootkit which knocks down the
interfaces, installs malware code which erases the outage
information and brings the interfaces backup. Malware appends
to current logs instead of opening new logs.

Now operations think they had glich and all looks good. Logs on the
box do not show they went down. Shucks, musta been a router card.
They open a ticket for network.
Network checks the cards sometime during the next day . Not a problem
now.

Shucks I do not even trust my own firewall. I have xconsole
tailing -f back to the top of my screen on the inside box
and a tail -f /var/log/messages to yet another terminal.

I have a separate browser account. When I logout .bash_logout
removes everything and tars in a new copy.



Relevant Pages

  • Re: Need some information on HIDS!
    ... I have already invoked such a scenario in some of my previous IDS ... What I had in mind is something like encrypting the whole ... network traffic, to prevent sniffing from intruders (let's say wall-to-wall ... analysing and displaying logs. ...
    (Focus-IDS)
  • Re: Random IDS Thoughts [WAS: Re: IDS thoughts]
    ... Commodotization of the IDS space, in general: ... by flooding a network with "anomalous" traffic so it eventually gets ... I understand that analysing logs take ... Lousy interface design: Most IDS products or log analyzer products I've ...
    (Focus-IDS)
  • Theory Question
    ... We have an IDS watching over our network, ... it logs to itself, and has a publicly accessible IP address. ... Would the direct link to the Internal network pose a threat to the rest of the Internal Lan? ...
    (FreeBSD-Security)
  • Processing time and IDS traffic
    ... (forensics, anti-virus, IDS, firewalls, etc.) ... What I did was parse the logs into XML records and arranged them into a nice ... strategically placed IDS system and what people get from a IDS system ... - Automatically Control P2P, IM and Spam Traffic ...
    (Focus-IDS)
  • Re: Random IDS Thoughts [WAS: Re: IDS thoughts]
    ... to allow one to use a SQL syntax to select which logs to convert, ... Subject: Random IDS Thoughts ... IntruShield now offers unprecedented Intrusion IntelligenceTM ... Download the latest white paper "Intrusion Prevention: ...
    (Focus-IDS)