Jesse Lands
unread,Aug 13, 2010, 9:46:21 AM8/13/10Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Sign in to report message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Python Security
From reading your indicators it would appear that you are focusing on
a HIDS on a webserver. And not to deviate to far from your initial
post, but I have been looking for something similiar for overall
systems for quite a while. There were a handful packages that have
since been abandon, but nothing I know of currently supported.
I have found the following items to be noteworthy in monitoring and
would find useful in a HIDS.
-account creation, modification, deletion
-additions/modifications to scheduled tasks/cronjobs
-any insertion of files from network sources (this can be messy,
probably would need to have some tweaking)
-behavioral analysis-watching for certain indications of programs
touching the kernel, memory, network interfaces
-possibly intergration of something similiar to tripwire into a HIDS
(modification/touching protected files i.e. kernel32.dll or /etc/
shadow)
-correlation engine: if a file is touched/modified just log it, but if
it's touched, then files are downloaded then send an alert
As far as a NIDS goes there are some nice applications out there
currently (BRO, SNORT, VORTEX, Suricata), but little in the way of
python packages that could accomplish the same thing. It would be
nice to have some type of lightweight Python application for NIDS.
There is Pycapy, but it's another application that appears no longer
supported. The biggest problems that I have found with any of these
is: the difficulty in setting it up and monitoring, lack of stream
analysis in some of them, and the inability in some to perform
threaded analysis. I believe Suricata or Vortex with a YARA search
engine may be an acceptable solution, but they only hit 2 of the 3,
missing on the difficulty of setup.
Jesse G. Lands