[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Layering an IDS on Linux - prepwork



>A more sensible approach is to build application profiles like you do
>for SELinux, and build in a mechanism to easily shutdown alerts at the
>root if the admin thinks the specific pattern behavior of an application
>is ok.

SE Linux is one feed of data into the analysis. It does a good job of letting you
know if the program suddenly wants to make syscalls or access resources that it
hasn't in the past.

But some attacks are within the behavior that SE Linux says is OK. At that point
you are relying on other detectors for abnormal conditions like FORTIFY_SOURCE
and stack-protector. This is what I'm really after and not abort() called by
programmers. Its just unfortunate there is not a way to distinguish the two uses.

-Steve


       
____________________________________________________________________________________
Sick sense of humor? Visit Yahoo! TV's 
Comedy with an Edge to see what's on, when. 
http://tv.yahoo.com/collections/222


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]