Git Product home page Git Product logo

cdpxe / kspids Goto Github PK

View Code? Open in Web Editor NEW
2.0 3.0 1.0 23 KB

A kernel-based IDS for Linux. KSPIDS monitors especially system calls.

Home Page: http://www.wendzel.de/projects/

License: GNU General Public License v3.0

linux kernel ids hids monitoring anomaly-detection host-monitoring linux-security linux-security-module linux-hardening linux-kernel intrusion-detection information-security kernel-hardening kernel-module information-forensics linux-kernel-module security-tools security-hardening user-monitoring

kspids's Introduction

KSPIDS

PoC code for a simple user-based intrusion detection system for the Linux kernel. I wrote this code as an undergraduate student in 2008. It was designed for Linux 2.6. I hope it is still of use.

KSPIDS stands for Kernel Service Profile Intrusion Detection System. It is a kernel code patch for Linux systems that monitors the programs a service user (e.g. www-data) uses. It alerts you if - for example - your www-data user now executes something like /bin/sh. Please note that KSPIDS is based on my other project FUPIDS.

Features

Here is a list of KSPIDS' features:

  • KSPIDS calculates an attacker level for every user (with uid 1...999) on your system. It will alert you via syslog if the attacker levels becomes high.
  • KSPIDS has a profile of used executables for service accounts. If such a user uses too many new programms within a short time, the attacker level will raise. This is done because an attacker could overtake the account of a user and then uses some new compiled exploits or an editor the normal user never starts.
  • If a user who never did anything before (for example uucp) is now active on your system, KSPIDS will notice and report it.
  • An attacker cannot kill the KSPIDS system because it is kernel code. The attacker can also not unload an LKM because the code is directly implemented in the Linux kernel.
  • KSPIDS is transparent for users, i.e. no user will notice the presence of KSPIDS.

Installation

Patch your kernel with the KSPIDS patch, activate the option "Security / KSPIDS" in your kernel configuration, recompile the kernel, and boot it (but make sure to backup your previous kernel and make sure you can boot the other kernel, too (in the case something went wrong!).

Results

You need to calibrate KSPIDS via kspids.c. If you skip this part, you will maybe see too many attack warnings or even not a single one.

Demo output

Here you can see a typical simulated attack: The user mysql (used to execute the MySQL database daemon) was "exploited" and can now execute something like /bin/echo what lets KSPIDS print out new log messages:

Here you can see how the attacker level decreases after some time due to "normal" behavior:

kspids's People

Contributors

cdpxe avatar

Stargazers

avatar avatar

Watchers

avatar avatar avatar

kspids's Issues

Question about usage

So, if i wanted to build a system based on the CIS recommendations, this would (eventually) allow me to dispose of the OSSEC HIDS?

Or am i missing the point of this software?

Looks damn interesting though ;-)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.