Re: [RFC] programmatic IDS routing

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: Valdis.Kletnieks@vt.edu
Cc: Linux Audit <linux-audit@redhat.com>
Subject: Re: [RFC] programmatic IDS routing
Date: Wed, 19 Mar 2008 14:40:02 -0400	[thread overview]
Message-ID: <200803191440.02743.sgrubb@redhat.com> (raw)
In-Reply-To: <28772.1205949942@turing-police.cc.vt.edu>

On Wednesday 19 March 2008 14:05:42 Valdis.Kletnieks@vt.edu wrote:
> On Wed, 19 Mar 2008 13:02:48 EDT, Steve Grubb said:
> > files. In order for the IDS system to be able to distinguish an open of a
> > watched file from an open of a *special* watched file that an alert
> > should be sent for, I'd like to propose a standard way of alerting the
> > IDS that this record needs additional scrutiny.
>
> Why do we need special handling for something the IDS should be able to do
> for itself? 

Something has to tell the IDS what to do for these 3 particular detections. It 
could come from a configuration file that it reads, or it could come from the 
event stream that it reads. Its just a matter of *where* the instructions 
come from.

> If your IDS system doesn't already have a copy of the list of 
> "special" watched files, you have *bigger* problems.

Not really, just think about the advantages of this approach. 

o You do not need to express host:file relationships if you are checking 
aggregate logs
o You always have a matching audit rule to make sure you get the data you need
o The event when recorded to disk has the meaning associated with it in case 
you wonder why something didn't get classified the way you thought it should
o This technique is higher performance since you do not need iterate across a 
list of all files for each incoming event.
o If the target file has a hardlink that is manipulated, the IDS won't be 
fooled because a different path showed up in the event stream. (This might 
even come into play for mount tricks that alter paths.)

These are the easy ones that I can think up easily. While we are at it, the 
disadvantages to using the IDS configuration file approach:

o The config file will become a mess when you get to this one entry that 
contains all file names one after another. Or you will have 2 config files 
one for the options and one for the files. You will of course need 2 more 
files for the other 2 detections, so now you have 4 config files to setup.
o No guarantee that any audit rules exist to give you the events you need.
o Lower performance
o Uses more system memory
o Susceptible to path name tricks
o Code will be far more complicated and harder to read or understand due to 
size.
o You have to be very careful to keep aggregate server rules in sync with 
remote system.

-Steve

next prev parent reply	other threads:[~2008-03-19 18:40 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-03-19 17:02 [RFC] programmatic IDS routing Steve Grubb
2008-03-19 17:12 ` Linda Knippers
2008-03-19 17:40   ` Steve Grubb
2008-03-19 17:55     ` Steve Grubb
2008-03-19 18:18     ` Valdis.Kletnieks
2008-03-19 18:54       ` Steve Grubb
2008-03-19 20:09         ` Valdis.Kletnieks
2008-03-19 18:05 ` Valdis.Kletnieks
2008-03-19 18:40   ` Steve Grubb [this message]
2008-03-19 19:04     ` Linda Knippers
2008-03-19 19:28       ` Steve Grubb
2008-03-19 19:48         ` Eric Paris
2008-03-19 20:48           ` Steve Grubb
2008-03-19 19:55         ` Linda Knippers
2008-03-19 21:01           ` Steve Grubb
2008-03-19 21:31             ` Linda Knippers
2008-03-19 21:41               ` Eric Paris
2008-03-19 22:42                 ` Steve Grubb
2008-03-19 23:00                   ` Linda Knippers
2008-03-19 23:44                     ` Steve Grubb
2008-03-20 13:32                       ` Linda Knippers
2008-03-20 13:53                         ` Steve Grubb
2008-03-21 10:28                           ` Klaus Heinrich Kiwi
2008-03-21 12:50                             ` Steve Grubb
2008-03-21 14:14                               ` LC Bruzenak
2008-03-21 15:01                                 ` Steve Grubb
2008-03-21 16:32                                   ` LC Bruzenak
2008-03-24 13:13                                   ` Klaus Heinrich Kiwi
2008-03-20 12:19               ` Steve Grubb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200803191440.02743.sgrubb@redhat.com \
    --to=sgrubb@redhat.com \
    --cc=Valdis.Kletnieks@vt.edu \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.