freeagent-dev Mailing List for Free Agents DIDS (Page 4)
Status: Pre-Alpha
Brought to you by:
red0x
Menu
▾
▴
freeagent-dev — Developers Forum
You can subscribe to this list here.
| 2000 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(3) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2001 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
(3) |
Jun
|
Jul
|
Aug
(11) |
Sep
(1) |
Oct
(2) |
Nov
(8) |
Dec
(8) |
| 2002 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(8) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2006 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(1) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2007 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2010 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2011 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(3) |
Nov
(4) |
Dec
(3) |
| 2012 |
Jan
(5) |
Feb
(6) |
Mar
(2) |
Apr
(2) |
May
(2) |
Jun
(1) |
Jul
|
Aug
|
Sep
(1) |
Oct
(1) |
Nov
|
Dec
(1) |
| 2013 |
Jan
|
Feb
(1) |
Mar
(4) |
Apr
(4) |
May
(4) |
Jun
|
Jul
(1) |
Aug
(2) |
Sep
|
Oct
|
Nov
|
Dec
(2) |
| 2014 |
Jan
(2) |
Feb
(2) |
Mar
(5) |
Apr
(3) |
May
(6) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
| 2015 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
| 2016 |
Jan
|
Feb
(1) |
Mar
(4) |
Apr
(1) |
May
(1) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: redox a. <re...@us...> - 2001-08-18 23:37:14
|
Update of /cvsroot/freeagent/agent
In directory usw-pr-cvs1:/tmp/cvs-serv5824
Modified Files:
TODO
Log Message:
Updated TODO, read it plz... --red0x
Index: TODO
===================================================================
RCS file: /cvsroot/freeagent/agent/TODO,v
retrieving revision 1.6
retrieving revision 1.7
diff -C2 -d -r1.6 -r1.7
*** TODO 2001/08/06 09:02:06 1.6
--- TODO 2001/08/18 23:37:12 1.7
***************
*** 4,22 ****
net module:
1. implement encrypted communication using aes module for agent-to-agent comms
aes module:
! 2. Fix Twofish encryption problem
ids module:
! 3. use stuff from snort to check packet contents against rules files.
conf module:
! 4. make a module that will read a conf file and be able to change ALL
! run time options... ;)
log module:
! 5. create a logging module to send stuff to syslog (ie, alerts) and to
! be able to keep encrypted logs, log to a database server (my sql), etc.
That is about it guys, then we will have version 1.0a! Lets go!
--- 4,44 ----
net module:
+ 1. test packet capture for packet loss and patch in a fix.
+ 2. pass off all interesting packets (defined in the conf file, TBD later)
+ 2a. for now, just make a way for the net module to pass off only certain
+ packets to the ids module.
+ 3. (mostly done?) pass off all ACP protocol IP packets to the comm module.
+
+ comm module:
1. implement encrypted communication using aes module for agent-to-agent comms
+ 2. draw out a more complete agent-to-agent communication protocol.
+ 3. test packet capture queue for packet loss and patch in a fix.
+
aes module:
! 1. outsourced to aeslib (http://sf.net/projects/aeslib). will soon be removed and
! will have aeslib (libaes) added as a required library. If you are interested
! in helping with aeslib, look at that project's TODO file.
ids module:
! 1. use stuff from snort to check packet contents against rules files(?)
! 2. implement a facility for keeping state files so that anomaloy learning
! does not restart after each reboot/crash/kill.
conf module:
! 1. make a module that will read a conf file and be able to change ALL
! run time options
! 2. make a few exported functions to return linked lists to packet types
! to pass to ids module (ids_packets), etc.
! 3. go through source code and draw up a list of things that CAN be changed
! at run time.
! 4. implement a facility to check these variables (#3) at run time.
log module:
! 1. create a logging module to send stuff to syslog (ie, alerts) and to
! be able to keep encrypted logs, log to a database server (MySQL), etc.
! 2. implement a facility, using libaes, to keep encrypted logs and write
! a program (passwd protected, or only runable by root, etc...) that
! will be able to read and parse these logs.
That is about it guys, then we will have version 1.0a! Lets go!
***************
*** 28,32 ****
log module:
! 2. perhaps put off the mysql support until here...
--red0x
--- 50,54 ----
log module:
! 1. perhaps put off the mysql support until here...
--red0x
|
|
From: redox a. <re...@us...> - 2001-08-07 22:00:30
|
Update of /cvsroot/freeagent/agent/doc
In directory usw-pr-cvs1:/tmp/cvs-serv16156/doc
Added Files:
ids_rules.txt
Log Message:
added IDS rules
--- NEW FILE: ids_rules.txt ---
ids_rules.txt - red0x <re...@us...>
IDS Rules Specifications:
rule file header lines:
log: [log directory, linux format]
state: [path to the state file, where anomaly ratings are stored]
rule format:
type thres init protocol traffic action
type can be:
wait - wait for activation, then do kewl stuff.. (TBD?)
dynamic - anomaly rating changes with traffic
static - anomaly rating is static
thres is:
threshold above which action is triggered.
less here means for alert/false positives.
init:
initial anomaly value, ignored if state file exists, yet required
protocol can be:
ip, tcp, udp, icmp, arp, rarp
traffic looks like this:
src_ip/net src_prt [direction] dst_ip/net dst_prt
src_ip/net & dst_ip/net are like this:
192.168.1.* (subnet) or 192.168.1.1/24 (subnet) or 192.168.1.1 (host)
src_prt & dst_prt are like this:
53 (single), 1:1024 (range), :65535 (anything equal or lesser than 65535),
1: (anything equal or greater than 1), !600:601 (everything but 600-601)
direction can be:
-> (incoming)
<- (outgoing)
<> (either/both)
action can be:
log : generate a log
alert: generate an alert
blackhole: alert, then blackhole offending host
kill: alert, then take compromised host offline (ie, for good root connections to rsh)
ignore: just ignore it (needed?)
activate: activate a wait rule (TBD?)
|
|
From: red0x <re...@us...> - 2001-08-07 13:18:13
|
Here's my plan:
1. I'm ready for some serious work, so send me tasks, ask me questions,
and stay on my case until I answer/get it done...
2. AES and Net modules are close to finished... ;) Turns out the Net
module (as of now) will not handle interagent communications. the Comm
module will handle that. Also, I started defining a protocol to be used
under IP (or TCP, if LibNet doesn't work out, either way, its easy to
switch) called ACP (agent communication protocol). Here is an acphdr
structure:
struct acphdr {
/* id/routing info */
_aid from, to; /* unique to each agent process */
_aid fpid, tpid; /* pid of agent processes, for
killing purposes */
unsigned long int len; /* total length (hdr + data) of
packet from hdr on */
unsigned short type; /* type of packet */
unsigned short code; /* packet code */
unsigned short cksum; /* RFC 1071, or cryptographic, TBD
*/
};
3. I need help with a few road blocks:
a. Twofish crypto breaks in the AESTEST at startup.
b. Lots of the modules are sloppy (sorry), I need help cleaning them up.
c. A module api (like kernel modules) would be nice, maybe something
that supports dynamic module loading and unloading at runtime... see what
you guys can come up with.
4. Net module will handle packet signature checks, while ids module will
handle user tracking and host-based stuff.. kewl?
this will be posted on the mailing list, please monitor this forum
(freeagent-dev)
--red0x
|
|
From: swaraj <sw...@vi...> - 2001-08-03 04:39:27
|
Well i am working on a neural net implementation for the ids engine should be able to show some code in a weeks time well we can dicuss about lots of isues if someone like rednox takes an active stand I am neck deep :) hope thats is enough swaraj -----Original Message----- From: red0x <re...@us...> To: Free Agents NIDS Dev List <fre...@li...> Date: Friday, August 03, 2001 7:25 AM Subject: [Freeagent-dev] Continuing Work Non Archived, Real Time Mailing List _______________________________________________Hey all, anyone interested in continuing work, I (red0x) am ready for some serious action. Lemme know if you are in or out (not responding = out). --red0x _______________________________________________ Freeagent-dev mailing list Fre...@li... http://lists.sourceforge.net/lists/listinfo/freeagent-dev |
|
From: swaraj <sw...@la...> - 2001-08-03 04:33:59
|
Well i am working on a neural net implementation for the ids engine should be able to show some code in a weeks time well we can dicuss about lots of isues if someone like rednox takes an active stand I am neck deep :) hope thats is enough swaraj -----Original Message----- From: red0x <re...@us...> To: Free Agents NIDS Dev List <fre...@li...> Date: Friday, August 03, 2001 7:25 AM Subject: [Freeagent-dev] Continuing Work Non Archived, Real Time Mailing List _______________________________________________Hey all, anyone interested in continuing work, I (red0x) am ready for some serious action. Lemme know if you are in or out (not responding = out). --red0x _______________________________________________ Freeagent-dev mailing list Fre...@li... http://lists.sourceforge.net/lists/listinfo/freeagent-dev |
|
From: Sean B. <scb...@md...> - 2001-08-03 02:56:18
|
Yeah, I can work on some things. I just need to get organized. I'll be in training for CISSP for the next two weeks, and grad school starts back up the last week of August. However, if we are organized, I'm sure we can get this thing off the ground. Just point me in the right direction :) Regards, scbaumann ----- Original Message ----- From: "red0x" <re...@us...> To: "Free Agents NIDS Dev List" <fre...@li...> Sent: Thursday, August 02, 2001 8:55 PM Subject: [Freeagent-dev] Continuing Work > Non Archived, Real Time Mailing List > _______________________________________________Hey all, anyone interested in continuing work, I (red0x) am ready for some > serious action. > > Lemme know if you are in or out (not responding = out). > > --red0x > > > _______________________________________________ > Freeagent-dev mailing list > Fre...@li... > http://lists.sourceforge.net/lists/listinfo/freeagent-dev |
|
From: red0x <re...@us...> - 2001-08-03 00:57:32
|
Hey all, anyone interested in continuing work, I (red0x) am ready for some serious action. Lemme know if you are in or out (not responding = out). --red0x |
|
From: Confidential <re...@us...> - 2001-05-23 19:28:49
|
Fine by me. :) -red0x -----Original Message----- From: fre...@li... [mailto:fre...@li...]On Behalf Of Mixter Sent: Wednesday, May 23, 2001 11:57 AM To: fre...@li... Subject: [Freeagent-dev] Re: Freeagent-dev digest, Vol 1 #5 - 1 msg Non Archived, Real Time Mailing List _______________________________________________ Hey red0x, I didn't forget about you and DIDS. I'm busy but not too busy to help in your project. However, I'm now developing an IDS (SASS) for my company as well, and there are a few restrictions because of my contract. I can't give you totally new ideas or help with the concept, but I can help you with Q&A, evaluating ideas, and certainly with implementing parts of code you have technical specs about. Hope that's okay for you - I'm ready to continue developing. Mixter _______________________________________________ Freeagent-dev mailing list Fre...@li... http://lists.sourceforge.net/lists/listinfo/freeagent-dev |
|
From: Mixter <mi...@2x...> - 2001-05-23 18:57:47
|
Hey red0x, I didn't forget about you and DIDS. I'm busy but not too busy to help in your project. However, I'm now developing an IDS (SASS) for my company as well, and there are a few restrictions because of my contract. I can't give you totally new ideas or help with the concept, but I can help you with Q&A, evaluating ideas, and certainly with implementing parts of code you have technical specs about. Hope that's okay for you - I'm ready to continue developing. Mixter |
|
From: Confidential <re...@us...> - 2001-05-22 09:29:26
|
Hey guys, Anyone currently on the team who is still inactive come June 5th will be permanently removed. No idle hands. We need to get started. Mixter and Davis, you guys ready to get a DIDS working? Anyone not on the team who is interested in hard work helping out network coders create the ultimate security tool may feel free to email me at re...@us... with your handle. I will give you each one week to show some promise. That should be good. Please respond if you are still on the team, or are interested in joining. Also, anyone who fits the above description, please monitor all the forums. -red0x |
|
From: Ryan Du B. <rj...@mi...> - 2001-01-10 07:57:27
|
Hey Guys, If you haven't already, monitor the open discussion forum and developer's forum. Also, check the open discussion forum, design decisions going on RIGHT NOW! https://sourceforge.net/forum/message.php?msg_id=94084 red0x |
|
From: Ryan Du B. <rj...@mi...> - 2000-12-18 03:48:22
|
Here is the code I released on the site, if you didn't get it yet... :O) red0x |
|
From: Sean C. B. <scb...@gs...> - 2000-12-17 01:38:34
|
This sounds excellent. The only other thing I would love to see this IDS: 1) be able to do is to keep state (a la checkpoint). It could keep some sort of connection table so it knows if packets belong to an on-going connection. 2) be able to detect overlapping fragments, and any other fragmentation attack. 3) Rules based on size of header. We should alert on any IP header that has any options set. Regards, scbaumann ----- Original Message ----- From: <mi...@2x...> To: <fre...@li...> Sent: Saturday, December 16, 2000 6:53 AM Subject: [Freeagent-dev] some project ideas > > hi all, > > red0x asked me to help a bit with the design ideas... I think it's > important to define some basic things to base all the IDS features on > before we start developing them. We should define the rulesets, > and make some functions to read, store and process them.. > they should be as flexible as possible, here are my ideas: > > 1) common flags accept/deny/reject/alert/forward/autoblock > that can be combined in logical ways > 2) port ranges (or single ports or all ports) for udp/tcp, both dest and src > 3) protocol, of course, and some significant values in the headers > (like snort has) > 4) source and destination IP addresses, or address ranges, or wildcards > (we could rip NMAP's implementation for this), and maybe ipv6 addresses? > 5) optionally, a pattern found in the payload of the packet; only if the > pattern is found, the rule applies > 6) optionally, a bandwith limitation for the matching rule, e.g. hits to the > rule per second, per minute and so on.. can be useful against DoS etc. > 7) either seriousness levels from 1-10 that apply if the rule is matched, > or heuristic flags like some virus scanners have (separate flags for e.g. > backdoor traffic, exploit attempt traffic, port scan traffic, DoS traffic...) > > ..what do you think? > > ________________________ > mi...@ne... > http://mixter.warrior2k.com > > > _______________________________________________ > Freeagent-dev mailing list > Fre...@li... > http://lists.sourceforge.net/mailman/listinfo/freeagent-dev |
|
From: <mi...@2x...> - 2000-12-16 11:49:42
|
hi all, red0x asked me to help a bit with the design ideas... I think it's important to define some basic things to base all the IDS features on before we start developing them. We should define the rulesets, and make some functions to read, store and process them.. they should be as flexible as possible, here are my ideas: 1) common flags accept/deny/reject/alert/forward/autoblock that can be combined in logical ways 2) port ranges (or single ports or all ports) for udp/tcp, both dest and src 3) protocol, of course, and some significant values in the headers (like snort has) 4) source and destination IP addresses, or address ranges, or wildcards (we could rip NMAP's implementation for this), and maybe ipv6 addresses? 5) optionally, a pattern found in the payload of the packet; only if the pattern is found, the rule applies 6) optionally, a bandwith limitation for the matching rule, e.g. hits to the rule per second, per minute and so on.. can be useful against DoS etc. 7) either seriousness levels from 1-10 that apply if the rule is matched, or heuristic flags like some virus scanners have (separate flags for e.g. backdoor traffic, exploit attempt traffic, port scan traffic, DoS traffic...) ..what do you think? ________________________ mi...@ne... http://mixter.warrior2k.com |
37 messages has been excluded from this view by a project administrator.
