Delirious IDS Digital Ebola 7-19-2002 Okay. This is part technical paper, part rant, and part silliness. I am very very tired. Please forgive me if I get loopy. I came home today, and decide to start kludging together a host based IDS script. One part tripwire, one part common sense, and one part crazyness. I am obviously expecting a attack on one of my boxen at his moment, and because of all the craziness going on with the OpenBSD project as of late, I feel that my paranoia is appropiate. Granted, I will save that discussion for another rant, but let's just say, I am not at all pleased with what is one of my most favorite operating systems. I don't like OpenBSD for its "security model"; I like it because its compact and runs well on Sparc architecture.. Again, that is another rant. I have lost faith. As I worked on this mythical IDS script, my thoughts began to wonder to kernel trojans, and to Tim Lawless's Saint Jude project. So, I got a flash of inspiration (or insanity).. and I am not sure if this is quite a original thought, if it already exists, or anything. I want to see a host based IDS built of a artifical intelligence type model. What I mean by that, I want a HID that is intelligent enough to not only check MD5 sums on certain things, file sizes on other things, AND presence of certain files, but I also want the thing to defend itself if a breach occurs. Imagine this: Joe Hax0r Kiddy breaks into your box via a user account. (Damn users!, *sigh, another rant) Now Joe is working on his root transition. Well, we can detect this. Just ask Lawless. Now, imagine the HID fighting back. Joe gains root, and starts replacing files. The HID logs into another machine and copies backups into place - ON THE FLY. This is going to gain us several advantages. First, we have a record of the intrusion on a offsite machine. Second, Joe Hax0r Kiddy thinks that he has successfully backdoored the machine. He may just leave the system with that impression. Third, if this pans out correctly, no future attackers can penetrate the machine after Joe leaves. In essence, the HID is protecting the machine proactively in real time. Something a IDS is generally not supposed to be able to do. A list of features would be as follows: 1. Joe loads a kernel module. HID unloads it. (Time delay?) 2. Joe replaces files. HID replaces files from known good backup (off site) 3. Joe pounds at machine. HID calls for help. (pager, cellphone) 4. Worst case scenario - HID realizes with some unknown logic that it cannot cope with Joe Hax0r Kiddy. HID decides to call for help, and shut itself down. 5. Email to all users on the system that data integrity has been lost. 6. HID detects the method of root compromise and searches for a patch on its own. Once it finds a patch, it downloads it and installs it. (CVS?) 7. HID tracks Joe's IP of origin (IP registry, nslookup, traceroute, domain information) and mails a off-site email this information. The main issues here at present would be making this software totally stealth. Also, we would want to be 100% sure that events are not false, prompting a crazy HAL-like HID... I believe this last point is quite possible with host-based intrusion. Also, there are several obvious ways to defeat the HID: 1. Know that is is present and unload it. Perhaps have a second module to call for help when this happens? 2. Unknown kernel rootkits. 3. Off-site backup is unreachable. 4. Total loss of network connectivity. I think that what I am describing is possible. Hell, it might already exist. I have not slept in a long time, and maybe this is causing a effect on me. This paper is to provoke discussion, and happy engineering.