Re: Insiders and IDS

[carric () com2usa com (Carric Dooley)]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
You didn't say:  are you running IDS other than sniffer logs?

As far as "which IDS", everyone is going to recommend their favorite (mine
is ISS if we are at the enterprise level, but I would not hesitate to
recommend NFR or Dragon (since you obviously have UNIX expertise).  Each IDS
has a slight different feature set, so you really need to look at your
environment to see what fits best.

As to your question about "would it be easy to...".  Go to:

http://packetstorm.securify.com

and look for "rootkits".  You can download kits that replace all the key
binaries, as well as log wipers and so on.  It sounds like whoever hit you
had a pretty good one.

This may come close to what you waned for a "CPU Sniffer":

http://www.psionic.com/abacus/hostsentry/

or you can take a look at ISS system agents for RealSecure, or what they
call SystemScanner (S2).  RealSecure is really an hybrid IDS with components
for both the network and specific hosts (and they have agents for several
platforms).  An IDS should by it's nature be just as effective against
internal threats as it is external threats.  I am sure ISS, Cisco, Axent,
NFR and the others all know more than 70%-80% (depending on the year and
your source of info) of security issues manifest internally.

Hope that has at least some useful information...

Carric Dooley
Network Security Consultant

Basic research is what I'm doing when I don't know what   I'm doing.

                - Warnher Von Braun

[snip]

----- Original Message -----
From: "Soeren Brandbyge" <sab () brandbyge dk>
To: <ids () uow edu au>
Sent: Tuesday, May 02, 2000 6:45 PM
Subject: IDS: Insiders and IDS

> I have been wondering:
> - It would be fairly easy (given root access) to hit a production server
> with the modified shell and md5 (as a bare minimum) thus adding another
> tool to cover the tracks into the hacker toolkit(?).
> - How can i tweak an IDS to focus more on the internal threats (In my
> opinion: insiders is an overlooked problem regarding IDS - for one, they
> have significantly fewer obstacles to overcome to gain root access)? Any
> suggestions to specific IDS targeting this type of problem? (or is it
> off-topic?)
> - An idea (maybe unrealistic): We are using rulebased sniffers to gather
> info about network traffic and to alert when "non-normal" conditions
> arise. Would it be possible to produce a "cpu-sniffer" (or something
> like that) that could independently watch the activities of the core,-
> preferrably another computer "sniffing into" the production computer and
> comparing against a set of rules?

[snip]