Re: OT: An Idea for an IDS
> A daemon sits running in the background listening to a special device
> Are there any projects out there to do this right now. If not, is this
> a good idea? If it is who would be a person/group that would be
> qualified and have the time/interest to develop it.
Abacus Portsentry binds itself to ports and detects IP/UDP Scans and
Hostsentry looks over login activity and issues countermesaures. Both can
issue a wide range of (actually customizable) firewalling rules. I've been
running portsentry for some years now and can say, you definitely have to
exclude some hosts (which is configurable), lowering the security effect.
Hostsentry isn't too far developed, but both come in handy together with
Abacus Logcheck.
Portsentry and Logcheck are in sid, but (surely because of the experimental
state of it) Hostsentry isn't. Also I have not seen progress with it during
the last years, staying version 0.2...
If you want to start your own project, you'll have to guarantee _you_ can
always login. Also, with dynamic IPs those rules should be outdated after
some time.
Portsentry for example writes entries to /etc/hosts,deny, which you'll have to
clean out for yourself. This is ugly.
But, with 2-3 XML Parsers for config files defining patterns, actions and
rules (pattern->action), you could build a rather easy to maintain threat
reaction system in Perl with little effort.
If you're interested in building one, I am...
Greetings,
--
Thomas Ritter
"Those who would give up essential liberty, to purchase a little temporary
safety, deserve neither liberty nor safety." - Benjamin Franklin
Reply to: