From owner-freebsd-security@FreeBSD.ORG Tue Oct 19 13:47:08 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9AF8C16A4CE; Tue, 19 Oct 2004 13:47:08 +0000 (GMT) Received: from smtpq1.home.nl (smtpq1.home.nl [213.51.128.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id D129E43D31; Tue, 19 Oct 2004 13:47:07 +0000 (GMT) (envelope-from dodell@sitetronics.com) Received: from [213.51.128.136] (port=45891 helo=smtp5.home.nl) by smtpq1.home.nl with esmtp (Exim 4.30) id 1CJuKQ-0004DD-EK; Tue, 19 Oct 2004 15:47:06 +0200 Received: from cc740438-a.deven1.ov.home.nl ([82.75.136.183]:3983) by smtp5.home.nl with esmtp (Exim 4.30) id 1CJuKP-0000TS-8f; Tue, 19 Oct 2004 15:47:05 +0200 Message-ID: <41751ADA.40107@sitetronics.com> Date: Tue, 19 Oct 2004 15:47:06 +0200 From: "Devon H. O'Dell" User-Agent: Mozilla Thunderbird 0.8 (Windows/20040913) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Tomas Pluskal References: <20041019133439.X604@localhost> In-Reply-To: <20041019133439.X604@localhost> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-AtHome-MailScanner-Information: Please contact support@home.nl for more information X-AtHome-MailScanner: Found to be clean cc: freebsd-security@freebsd.org cc: freebsd-hackers@freebsd.org Subject: Re: new intrusion detection system X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Oct 2004 13:47:08 -0000 Tomas Pluskal wrote: > > Hello to all, > > I have implemented a new type of intrusion detection system for my > Master thesis. I would like to announce this information, in case anyone > would be interested in this research. > > The IDS system is designed as a kernel module for FreeBSD 5.2. It is > inspired by the SpamAssassin program, which detects spam by applying a > set of tests to every email message and counting a sum of point score > generated by each test. My IDS system applies a set of tests to every > running process in the OS and counts its score generated by the tests. > Therefore, the purpose of the IDS is not to monitor the network traffic, > but rather to monitor the process activity. > > The current system status is a "working prototype" - it is not ready for > production usage, but it may serve as a good base for an interesting > research. > > If you are interested in this topic, please read the details here: > http://plusik.pohoda.cz/thesis/ > > Thanks, > > Tomas Hello Tomas, At a first glance of this email, I thought ``An IDS based upon SpamAssassin ideology? Intrusions differ too much from spam for this to be accurate!'' After reading your thesis, my ideas were changed. This work is certainly very interesting, and I encourage you to continue its development. Certainly one thing that would be desirable that I did not see listed in the improvements section (and many other IDS systems, such as Bro) would be the ability to carry out some action (instead of pure reporting) based upon behavior; this would allow for IDS as well as IPS behavior. I'm quite interested and impressed by the work you've done here. Do you have any plans of setting this up as a collaborative project? Can I help you by providing a place for you to do this? At the moment, I'm not able to provide much help for implementing any of the features listed in your thesis (although I am interested in working on and with this software at some point in the not-too-far future :)), but please let me know if I can help by providing resources, as this is something that I can do with little effort and in little time. Congratulations, and good luck with your study! Kind Regards, Devon H. O'Dell