[Plug-security] Something to look at.

foodog plug-security@lists.PLUG.phoenix.az.us
Tue, 17 Jul 2001 20:45:20 -0700 

Kit Plummer wrote:
> 
> Cool!  Though, I am not sure I understand why you would need the IS at
> the kernel level.  It seems like it makes more sense at the network
> level as the ISes are typically found vice tripwire.

There are some advantages.  You can monitor/control what other modules
get loaded, hide processes and files.  As long as you're sure that your
module is loaded on a clean system, you can control any details that you
care to.  You could, for example, hide all evidence that you're running
tripwire.

There was a presentation at Black Hat on a kernel mod called fnord that
does everything listed above, plus hidden (and encrypted, I think)
logging to a remote host, hiding processes with a particular environment
string set or by UID, hiding all visible evidence of connections to/from
particular hosts (unless you've got the secret environment string). 
They hook and filter all file activity, removing references to hidden
things, make invisible backup copies when files are modified or deleted,
etc. etc.  Really extensive paranoidware.  Unfortunately, during the Q&A
it came out that their employer won't release the source or binaries for
it...  I was bummed.

> 
> Did you go to DEF CON?

Yup, this was my second year for Black Hat and DEF CON.  It was really
interesting, and there were an alarming number of normal-looking and
older people this year.  Non-feds even.  I'm kinda poor now, not really
interested in drinking again for awhile, but looking forward to next
year :-)

> 
> Kit

> 
> On 17 Jul 2001 00:44:54 -0700, foodog wrote:
> > KIS, kernel intrusion system.  An arguably gray hat kernel module was
> > presented at DEF CON Saturday.  It's for Linux kernel versions 2.2.x -
> > 2.4.x.  It's available for download now from uberhax0r.net/kis/
> >
> > I mention it for 2 reasons.  1st, I think it has serious potential as
> > part of an intrusion detection solution; the author expressed interest
> > in how the security community reacts.  2nd, I think it's a good plan to
> > learn about it. It's friendly enough that the kiddies will *love* it.
> > The client can be GUI-driven, and it has brief, usable docs.
> >
> > The docs barely scratch the capabilities, BTW.  The author, Optyx, is
> > talented.
> > Regards,
> > Steve
> > _______________________________________________
> > Plug-security mailing list  -  Plug-security@lists.PLUG.phoenix.az.us
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-security
> >
> 
> _______________________________________________
> Plug-security mailing list  -  Plug-security@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-security