[prev in list] [next in list] [prev in thread] [next in thread]
List: focus-ids
Subject: RE: HIDS - new technologies ?
From: "Shripal Meghani" <meghani () nsecure ! net>
Date: 2002-07-15 6:57:09
[Download RAW message or body]
Well, it is true that the HIDS technology scenario is improving fast.
There are a lot of things that can be done at the host for intrusion
detection... some of them are mentioned in this thread: Log Analysis, File
Integrity Checking, Port monitoring, System Call Monitoring. Some SHOULD
even provide a firewall as one of the defense mechanisms on the hosts!
... but there are some very serious commercial complications with Host Based
IDS's.
1) HIDS's raise a lot of alerts and/or data that needs to be analysed. If
you do something like system call monitoring, the security admin is going to
be in a shock!!
2) HIDS data is host specific, and only security admins well aware in the
intricacies of the host in question can make some sense of the data.
3) Some HIDSs are inherently unstable and may itself be of some risk to the
system concerned. But Most do not cause any damage to the system, infact
that is one the objectives while developing a HIDS.
In particular let us take System call monitoring as an example.
There can be two kinds of system call monitoring: "System Call forking" or
"System call chaining"
In System call forking, the system call is picked up by the OS and "forked"
to both the system as well as the application which is monitoring it. This
will be a lot less dangerous than "System call Hooking" which entails
completely overriding the system call and replacing it with a custom routine
(Kernel Modules for example). Intuitively, this is a lot riskier.
From a prevention point of view, the former is useless, it can do nothing to
prevent the system from receiving the call. The latter can drop the call
altogether
| -----Original Message-----
| From: kaleal [mailto:kaleal@hawaii.rr.com]
| Sent: Friday, July 12, 2002 4:44 AM
| To: 'Stephanie Miller'; kunal@geosofttech.net;
| focus-ids@securityfocus.com
| Subject: RE: HIDS - new technologies ?
|
|
| While the technology emerging in the HIDS arena is gaining ground..has
| anyone actually seen market demand for a HIDS deployment? I have been
| having difficulty even getting any name recognition for any HIDS
| product. Does anyone have any marketing data regarding HIDS
| deployments..and customer thoughts on HIDS?
|
| Kal
|
| -----Original Message-----
| From: Stephanie Miller [mailto:stephanie_miller@hp.com]
| Sent: Thursday, July 11, 2002 5:29 AM
| To: kunal@geosofttech.net; focus-ids@securityfocus.com
| Subject: Re: HIDS - new technologies ?
|
| I'll also add that Hewlett-Packard offers a HIDS that has hooks directly
| in
| the kern. for
| analyzing system calls. We are doing pure intrusion detection, no
| intercepting or
| blocking of system calls (we do offer intrusion response once an alert
| is
| triggered).
| Plus we detect intrusions using just a small hand-full of detection
| "templates"
| (no need to manage hundreds of signatures). You can find more
| information at:
|
| http://www.hp.com/products1/unix/operating/security/
|
| Or download the product (it's free) from:
|
| http://www.software.hp.com/ISS_products_list.html
|
| And the documentation is at:
|
| http://docs.hp.com/hpux/internet/index.html#Intrusion%20Detection%20Syst
| em/9000
|
| Cheers,
| -Stephanie
|
| At 01:42 AM 7/11/2002 +0530, Kunal Rupera wrote:
| >Hello everyone ..!
| > Currently host based intrusion detection systems usually
| consists
| > of programs like Sentinel or Tripwire which do file integrity checks
| > using various checksumming algorithms. Now there are some new upcoming
|
| > technologies like HIDS based on system calls.
| >http://imsafe.sourceforge.net/ <---- to quote a very crude example..
| >something on these lines but not exactly the way imsafe functions. Now
| >would it be possible to make a HIDS that is based on system calls? . to
|
| >site a example, most windows based anti viral programs hook the I/O
| calls
| >and do not let a infected.exe get executed. so would it be possible to
| >write a program which monitors for executable files and when one is
| >executed, checks if it contains "bad" signatures and allows or prevents
|
| >that executable file from getting executed? . {this applies to *nix
| >platforms} so that exploits (mostly local root buffer overflows) can be
|
| >prevented from running? .. ofcourse such HIDS systems would have the
| >limitations that most NIDS systems have eg. encrypted payload to site
| one
| >of them... etc.. but wont it be effective for most cases?
| >Views/Flames/Ideas/Help/Links/Discussions. all welcome... :)..
| >
| >Kunal
| >Unix System Administrator
| >Sun Certified Solaris Administrator
|
| ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
| Stephanie A. Miller
| HP IDS/9000 Security Engineer
| Enterprise Systems Technology Lab
| (734)805-2264
| Hewlett-Packard Company
| http://www.hp.com/security
| ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
|
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic