From owner-fam@oss.sgi.com Tue Nov 14 08:31:37 2000 Received: by oss.sgi.com id ; Tue, 14 Nov 2000 08:31:17 -0800 Received: from biocserver.BIOC.CWRU.Edu ([129.22.152.13]:3598 "EHLO biocserver.BIOC.CWRU.Edu") by oss.sgi.com with ESMTP id ; Tue, 14 Nov 2000 08:31:05 -0800 Received: from localhost (jose@localhost) by biocserver.BIOC.CWRU.Edu with ESMTP id LAA08613 for ; Tue, 14 Nov 2000 11:33:04 -0500 Date: Tue, 14 Nov 2000 11:33:04 -0500 (EST) From: Jose Nazario To: Subject: [fam] idea for imon Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-fam@oss.sgi.com Precedence: bulk Return-Path: X-Orcpt: rfc822;fam-outgoing have you considered using imon as a component in a host based intrusion detection system? to monitor inode access, of course... ____________________________ jose nazario jose@cwru.edu PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 PGP key ID 0xFD37F4E5 (pgp.mit.edu) -- Source code, list archive, and docs: http://oss.sgi.com/projects/fam/ To unsubscribe: echo unsubscribe fam | mail majordomo@oss.sgi.com From owner-fam@oss.sgi.com Fri Nov 17 12:15:56 2000 Received: by oss.sgi.com id ; Fri, 17 Nov 2000 12:15:46 -0800 Received: from pneumatic-tube.sgi.com ([204.94.214.22]:3199 "EHLO pneumatic-tube.sgi.com") by oss.sgi.com with ESMTP id ; Fri, 17 Nov 2000 12:15:31 -0800 Received: from rlyeh.engr.sgi.com (rlyeh.engr.sgi.com [163.154.5.94]) by pneumatic-tube.sgi.com (980327.SGI.8.8.8-aspam/980310.SGI-aspam) via ESMTP id MAA07243 for ; Fri, 17 Nov 2000 12:23:20 -0800 (PST) mail_from (rusty@rlyeh.engr.sgi.com) Received: (from rusty@localhost) by rlyeh.engr.sgi.com (SGI-8.9.3/8.9.3) id MAA70770; Fri, 17 Nov 2000 12:14:13 -0800 (PST) From: "Rusty Ballinger" Message-Id: <10011171214.ZM95232@rlyeh.engr.sgi.com> Date: Fri, 17 Nov 2000 12:14:13 -0800 In-Reply-To: Jose Nazario "[fam] idea for imon" (Nov 14, 11:33am) References: X-Face: #)4}U4e`O6YEe%oBzE}>ycmT!Xt?Myiqo~|p3Wh'UuQ[N7)&4\4?8:1n)bmPX]b@#k94%!VojpODdmk:sCr1b\-aXD&P:wjBqupMB:ag6}BwVseJZM@K{$E|0J9}&,Rpdg{&N4/Y8&PTm6>|r[,gI2T*qN!`AZhl>Bdy7JR`dDvP(/pz.}?Q@dg':mlV`RX51Z_ZG?Gta|Q!iA[MaOh Reply-To: rusty@sgi.com X-Mailer: Z-Mail (3.2.3 08feb96 MediaMail) To: jose@biocserver.BIOC.CWRU.Edu Subject: Re: [fam] idea for imon Cc: fam@oss.sgi.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-fam@oss.sgi.com Precedence: bulk Return-Path: X-Orcpt: rfc822;fam-outgoing > have you considered using imon as a component in a host based intrusion > detection system? to monitor inode access, of course... To really do this, you'd want to make a couple of changes to imon. For one, I'm not sure whether it will report file accesses; it might only do modifications. (If so, it should be easy to change.) For another, it does some monitoring of when program start & stop executing, but it only reports when the number of running instances changes from 0 to 1 and back again. Also, I don't think you can get much (or any?) information about who was running the command, or the PID; I think all you get is that it was started or stopped, but that would be easy to change too. (It would only make sense to do if you could get more information about the uid and/or pid of the file being executed, though.) Also, you might find this interesting; Erez Zadok has an example of doing intrusion detection (for file access, not execution) with wrapfs at http://www.cs.columbia.edu/~ezk/research/wrapfs/node4.html#SECTION00041000000000000000 --Rusty -- Source code, list archive, and docs: http://oss.sgi.com/projects/fam/ To unsubscribe: echo unsubscribe fam | mail majordomo@oss.sgi.com