Date: Tue, 19 Oct 2004 17:43:43 -0400 From: Brian Barto <bartobri@comcast.net> To: Tomas Pluskal <plusik@pohoda.cz> Cc: freebsd-security@freebsd.org Subject: Re: new intrusion detection system Message-ID: <F275E97D-2217-11D9-A30A-000A95886E00@comcast.net> In-Reply-To: <20041019133439.X604@localhost> References: <20041019133439.X604@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
Very interesting stuff. Certainly worth more investigation. Something occurred to me while I read your thesis. Though maybe it was worth a mention. The TTL (time to live) could potentially cause the IDS module to be easily beaten. An attack could begin and immediately go into a sleep state with the intent to expire the TTL. Later resuming with it's actions going unnoticed. I hope to see more on this. I think it is a very creative and useful idea. Thanks, Brian On Oct 19, 2004, at 7:36 AM, Tomas Pluskal wrote: > > Hello to all, > > I have implemented a new type of intrusion detection system for my > Master thesis. I would like to announce this information, in case > anyone would be interested in this research. > > The IDS system is designed as a kernel module for FreeBSD 5.2. It is > inspired by the SpamAssassin program, which detects spam by applying a > set of tests to every email message and counting a sum of point score > generated by each test. My IDS system applies a set of tests to every > running process in the OS and counts its score generated by the tests. > Therefore, the purpose of the IDS is not to monitor the network > traffic, but rather to monitor the process activity. > > The current system status is a "working prototype" - it is not ready > for production usage, but it may serve as a good base for an > interesting research. > > If you are interested in this topic, please read the details here: > http://plusik.pohoda.cz/thesis/ > > Thanks, > > Tomas > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F275E97D-2217-11D9-A30A-000A95886E00>