Re: [python-security] Intrusion Detection System (was Tools for security analysis)
492 views
Skip to first unread message
Craig Younkins
Aug 10, 2010, 12:56:34 PM8/10/10
to python-...@googlegroups.com
Last year I wrote a somewhat limited IDS for ESAPI on Python [1]. The primary way it was used was through exceptions - when input failed validation an exception would be raised, which would register an event with the IDS.
Craig Younkins
- Events - These are things such as "Bad Password," "input did not pass validation," or "successful login". When events are registered they need some amount of context, including the currently logged in user, the originating IP of the request being processed, etc
- Triggers and actions - defines a set of conditions, such as 1000 requests in one minute or 30 bad login attempts, and actions to take, such as blocking an IP or disabling an account.
The one I wrote a year ago is a decent base, but I'd like to see it be more flexible and configurable. Other ideas are very welcome. An IDS doesn't have to be particularly complicated, but it can provide a great level of control.
[1] http://code.google.com/p/owasp-esapi-python/source/browse/esapi/reference/default_intrusion_detector.py
On Tue, Aug 10, 2010 at 12:27 PM, Juanjo Conti <jjc...@gmail.com> wrote:
Hi,2010/8/10 Craig Younkins <cyou...@gmail.com>
- Modified interpreter? What could we do with this? Perhaps a taint mode without modifying source code.
This was done here: D. Kozlov and A. Petukhov. Implementation of Tainted Mode approach to finding security vulnerabilities for Python technology. In Proc. of Young Researchers’ Colloquium on
Software Engineering (SYRCoSE), June 2007.
- Better intrusion detection system - If a user logs in from opposite sides of the planet within a few minutes, something's wrong. A user sending 1000 requests/min is not legitimate. 30 bad logins within 10 mins from the same IP or for the same account, you can be pretty sure something is wrong.
This sounds really instresting, doyou have any idea of where to start?
--
Juanjo Conti
blog: http://www.juanjoconti.com.ar
Jesse Lands
Aug 13, 2010, 9:46:21 AM8/13/10
to Python Security
From reading your indicators it would appear that you are focusing on
a HIDS on a webserver. And not to deviate to far from your initial
post, but I have been looking for something similiar for overall
systems for quite a while. There were a handful packages that have
since been abandon, but nothing I know of currently supported.
I have found the following items to be noteworthy in monitoring and
would find useful in a HIDS.
-account creation, modification, deletion
-additions/modifications to scheduled tasks/cronjobs
-any insertion of files from network sources (this can be messy,
probably would need to have some tweaking)
-behavioral analysis-watching for certain indications of programs
touching the kernel, memory, network interfaces
-possibly intergration of something similiar to tripwire into a HIDS
(modification/touching protected files i.e. kernel32.dll or /etc/
shadow)
-correlation engine: if a file is touched/modified just log it, but if
it's touched, then files are downloaded then send an alert
As far as a NIDS goes there are some nice applications out there
currently (BRO, SNORT, VORTEX, Suricata), but little in the way of
python packages that could accomplish the same thing. It would be
nice to have some type of lightweight Python application for NIDS.
There is Pycapy, but it's another application that appears no longer
supported. The biggest problems that I have found with any of these
is: the difficulty in setting it up and monitoring, lack of stream
analysis in some of them, and the inability in some to perform
threaded analysis. I believe Suricata or Vortex with a YARA search
engine may be an acceptable solution, but they only hit 2 of the 3,
missing on the difficulty of setup.
Jesse G. Lands
a HIDS on a webserver. And not to deviate to far from your initial
post, but I have been looking for something similiar for overall
systems for quite a while. There were a handful packages that have
since been abandon, but nothing I know of currently supported.
I have found the following items to be noteworthy in monitoring and
would find useful in a HIDS.
-account creation, modification, deletion
-additions/modifications to scheduled tasks/cronjobs
-any insertion of files from network sources (this can be messy,
probably would need to have some tweaking)
-behavioral analysis-watching for certain indications of programs
touching the kernel, memory, network interfaces
-possibly intergration of something similiar to tripwire into a HIDS
(modification/touching protected files i.e. kernel32.dll or /etc/
shadow)
-correlation engine: if a file is touched/modified just log it, but if
it's touched, then files are downloaded then send an alert
As far as a NIDS goes there are some nice applications out there
currently (BRO, SNORT, VORTEX, Suricata), but little in the way of
python packages that could accomplish the same thing. It would be
nice to have some type of lightweight Python application for NIDS.
There is Pycapy, but it's another application that appears no longer
supported. The biggest problems that I have found with any of these
is: the difficulty in setting it up and monitoring, lack of stream
analysis in some of them, and the inability in some to perform
threaded analysis. I believe Suricata or Vortex with a YARA search
engine may be an acceptable solution, but they only hit 2 of the 3,
missing on the difficulty of setup.
Jesse G. Lands
Craig Younkins
Aug 13, 2010, 11:23:27 PM8/13/10
to python-...@googlegroups.com
Jesse I really like your ideas. However, I think a system-wide HIDS is out of the scope of the PythonSecurity.org project. It could be written in Python, but still wouldn't really be about security in the language. What I was really getting at was an application-level IDS for web apps written in Python.
The HIDS you reference protects at the system level. Trends in the past few years have been moving away from 'owning the box' towards more application-level attacks. Many people are spending a lot of time and money on network IDSs and hardening OSs, but attacks are increasingly coming at the application layer because it often enables an attacker to get the same information through an area that is much less well-defended.
Right now PythonSecurity.org focuses mostly on web application security because that is OWASP's focus. But I would love to see it grow to include details about the security of the interpreters, the security of software like twisted, and similar.
Craig Younkins
Reply all
Reply to author
Forward
0 new messages