From owner-freebsd-hackers@FreeBSD.ORG Tue Oct 19 21:43:45 2004 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 12CD716A4CE; Tue, 19 Oct 2004 21:43:45 +0000 (GMT) Received: from sccrmhc11.comcast.net (sccrmhc11.comcast.net [204.127.202.55]) by mx1.FreeBSD.org (Postfix) with ESMTP id 80A6943D2D; Tue, 19 Oct 2004 21:43:44 +0000 (GMT) (envelope-from bartobri@comcast.net) Received: from [192.168.0.104] (c-24-11-10-106.client.comcast.net[24.11.10.106]) by comcast.net (sccrmhc11) with SMTP id <20041019214343011007dvp3e>; Tue, 19 Oct 2004 21:43:44 +0000 In-Reply-To: <20041019133439.X604@localhost> References: <20041019133439.X604@localhost> Mime-Version: 1.0 (Apple Message framework v619) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Brian Barto Date: Tue, 19 Oct 2004 17:43:43 -0400 To: Tomas Pluskal X-Mailer: Apple Mail (2.619) X-Mailman-Approved-At: Wed, 20 Oct 2004 12:24:40 +0000 cc: freebsd-hackers@freebsd.org cc: freebsd-security@freebsd.org Subject: Re: new intrusion detection system X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Oct 2004 21:43:45 -0000 Very interesting stuff. Certainly worth more investigation. Something occurred to me while I read your thesis. Though maybe it was worth a mention. The TTL (time to live) could potentially cause the IDS module to be easily beaten. An attack could begin and immediately go into a sleep state with the intent to expire the TTL. Later resuming with it's actions going unnoticed. I hope to see more on this. I think it is a very creative and useful idea. Thanks, Brian On Oct 19, 2004, at 7:36 AM, Tomas Pluskal wrote: > > Hello to all, > > I have implemented a new type of intrusion detection system for my > Master thesis. I would like to announce this information, in case > anyone would be interested in this research. > > The IDS system is designed as a kernel module for FreeBSD 5.2. It is > inspired by the SpamAssassin program, which detects spam by applying a > set of tests to every email message and counting a sum of point score > generated by each test. My IDS system applies a set of tests to every > running process in the OS and counts its score generated by the tests. > Therefore, the purpose of the IDS is not to monitor the network > traffic, but rather to monitor the process activity. > > The current system status is a "working prototype" - it is not ready > for production usage, but it may serve as a good base for an > interesting research. > > If you are interested in this topic, please read the details here: > http://plusik.pohoda.cz/thesis/ > > Thanks, > > Tomas > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" >