[751] in Intrusion Detection Systems
Re: Welcome to ids
daemon@ATHENA.MIT.EDU (IO ERROR)
Wed Nov 20 04:23:31 1996
Date: Mon, 18 Nov 1996 03:33:37 -0600 (CST)
From: IO ERROR <error@error.net>
To: ids@uow.edu.au
In-Reply-To: <199611180425.PAA28704@wyrm.its.uow.edu.au>
BS - so much of it that I e-mail some to everybody.
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-ids
Precedence: bulk
Reply-To: ids
On Mon, 18 Nov 1996 Majordomo@uow.edu.au wrote:
> ---- Joining Requests ----
>
> When joining the list I ask you to briefly introduce yourself (to the
> mailing list <ids@uow.edu.au>), to give an outline of your interest in
> intrusion detection systems. Whether you are developing an intrusion
> detection system, or a system administrator or student who is
> currently investigating or developing a system. Additionally you might
> want to express some personal ideas that you have about what you think
> an intrusion detection system should be.
Let me begin by saying that UNIX "audit trails" suck.
My name is Michael Hampton, and my site was hacked two weeks ago. Though I
watch my system logs fairly carefully, I never noticed the breakin, until the
administrator of another local site informed me of the details of the breakin
at his site. Only then did I notice that my /bin/login had been replaced, and
only then did I whip up a "raw" utmp viewer, and notice that someone had done a
not-so-great job of editing my wtmp file.
Before this, I was content to keep my system up and compile programs my users
wanted to run. I know all of my users personally, so it was one big happy
family. Now, I have to worry about someone sneaking in via a back door I don't
know about. Not only does it undermine the comfortable "feel" of the system
for both me and my users, it cuts into the time I have for doing real work.
Since then I have installed COPS, Tripwire and ISS, I have tcpdump watching
traffic from certain sites, and probably will install several other packages.
I don't like the idea of having to spend time watching my system closely for
signs of intrusion. I don't like the idea of an operating system design that
makes so little allowance for security, and requires installing a dozen or
more packages to merely _watch_ the holes in the walls.
I would like to (1) plug those holes, or (2) start over from scratch. But both
of those are topics for other lists, I think.
With respect to IDS, I believe that UNIX "audit trails" could be far better, or
at least easier to use. utmp(5) sucks.
One idea is this: use the syslog facility for what it was intended: logging!
I notice that /bin/login and friends don't talk to syslog unless there is a
problem. I believe that they should log everything that's going on, so that
discrepancies (which mean possible intrusions) are easier to discover. Yes,
I'm aware there are modified programs out there that do such logging, though
they may be slightly incompatible with my system or someone else's system.
I must cut this short, as I have 60 more messages to answer tonight. :)
--
Michael Hampton Crossroads Communications System Administrator
error@error.net 318 E Burlington, Iowa City, IA 52240 (319) 354-6614
