[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: OT: An Idea for an IDS

> A daemon sits running in the background listening to a special device
> Are there any projects out there to do this right now.  If not, is this
> a good idea?  If it is who would be a person/group that would be
> qualified and have the time/interest to develop it.

Abacus Portsentry binds itself to ports and detects IP/UDP Scans and 
Hostsentry looks over login activity and issues countermesaures. Both can 
issue a wide range of (actually customizable) firewalling rules. I've been 
running portsentry for some years now and can say, you definitely have to 
exclude some hosts (which is configurable), lowering the security effect.
Hostsentry isn't too far developed, but both come in handy together with 
Abacus Logcheck.

Portsentry and Logcheck are in sid, but (surely because of the experimental 
state of it) Hostsentry isn't. Also I have not seen progress with it during 
the last years, staying version 0.2...

If you want to start your own project, you'll have to guarantee _you_ can 
always login. Also, with dynamic IPs those rules should be outdated after 
some time.
Portsentry for example writes entries to /etc/hosts,deny, which you'll have to 
clean out for yourself. This is ugly.
But, with 2-3 XML Parsers for config files defining patterns, actions and 
rules (pattern->action), you could build a rather easy to maintain threat 
reaction system in Perl with little effort.

If you're interested in building one, I am...

Thomas Ritter

"Those who would give up essential liberty, to purchase a little temporary 
safety, deserve neither liberty nor safety."  - Benjamin Franklin

Reply to: