Hi, team. For now I want to get your opinions about security agent. What is your vision of this part of IDS? Is it service/daemon or other tools? What communications you want to use? etc. will start discussion based on your opinions. Feel free to keep part in discussion.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I think the agent shoult be like a simple IDS. If we choose this way we can gain 3 advantages:
1. We can start programming now. Because it is a simple IDS, it independ on other parts.
2. If for the unknown reason we have to stop the project, in the case of Agent is finished, it can be used by others for further for other purpose (continue developing, implementing ...). And it is still valuable.
3. We can add in Agent some thing like plugins, so the Agent will have dinamic function.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The communication for the agents need more attention i dont think its the time to check it, because in order to do so we need to know with what it'll be communicated, this is other independent agents, a monitor, or a monitor for mobile agents. BTW, i think with mobile agents of with single agents only reporting to a higher entity will be the best, and if this is so it could be done in encrypted TCP/IP or maybe it should detect if it needs an IPCS methos and switch to it if necesary. Personally i prefer encrypted TCP/IP.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
We will develop the dynamic Agent (as for shyaam's comment),
And the coding scenario is like:
( My thinking: mobile Agent = static Agent + some specially extended functions. So we can build the static version first and then add more functions to make it be dynamic)
+I and Omael and Vladislav and others focus on static
+Shyaam (and others if needed) keep track our coding proccess in order to make the Agent can be added more dynamic functions in the future.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
SnaiL:
Ok. Maybe it is better to post all our discussion ?
SnaiL:
I will ba back momentarily
SnaiL:
Fucked Windows, I need to reboot again. ) Sorry
Phiphu2002:
yes, i thank, and can you post your thinking to the forum?
SnaiL:
sure, for now we need to implement base ideas.
Phiphu2002:
i think we can leave them for the futher extention, could we do that?
SnaiL:
For now - here. BTW, while rebooting my hadgry mind start thinking. As concerns
libpcap, traffic monitoring etc. There are a set of good tools to monitor
network and detect traffic usage. If you know some technologies to detect
trojan works on machine by analizing traffic, we can integrate our IDS with
thet tools and apply some filter.
Phiphu2002:
for the agent?
Phiphu2002:
we declare a conslusion, here?
Phiphu2002:
Phiphu2002:
ok, so now we should declare and conclusion.
SnaiL:
I don't think so. I am working on commerical IDS and know a couple of the same
packages. It is all closed-source, old-technologied etc,
Phiphu2002:
but it is true that so many information source today, so we do not need to
contribute the other one.
SnaiL:
I need to go, but shall be back in a 5 minutes.
SnaiL:
I think firewall is required in all enterprise stations, on all computers in
the company etc.
Phiphu2002:
oh, you did not say that we build the agent over a strong pc with personal
firewall
SnaiL:
you can't analyze enterprise intrusions with libpcap... BTW, libpcap is too
slow and not so powerfull. Using pcap will increase performance!
SnaiL:
libpcap is a small solution to detect network tcp/udp attacks for example...
But better is to use firewall, analyze firewall logs. If firewall will be
corrupted - report it. Otherwise it will not allow hacker to access system.
Phiphu2002:
application log and libpcap.
Phiphu2002:
it is not my meaning, i would like to combine two solutions.
SnaiL:
analyze all network packets, detect mail packets, collect all of them together
and analyze with email antivirus?
SnaiL:
For example I will got a viruse on my Windows machine by email. How you can
detect it with libpcap?
SnaiL:
Oh, it is not a solution at all.
Phiphu2002:
capture it on the network interface
Phiphu2002:
capture it
Phiphu2002:
means libcap it
SnaiL:
what does it mean harvest data on the system interface?
Phiphu2002:
We harvest the raw data on the system interface.
SnaiL:
BTW, could you provide me with best solution how we can detect intrusion to the
application withoud log analyze?
SnaiL:
for example send SMS to the system administrator
SnaiL:
Oh oh .. I know your question, he can attack machine, make intrusion and
momentarely change logs, delete it etc. For this purpose we will use real-time
event-source. The solution for unix is write module to syslog and momentarily
notify IDS system with intrusion information.
Phiphu2002:
i can only change the syslog configuration file
Phiphu2002:
very easy in linux or unix
SnaiL:
You will do that ? Or a mad hacker? If it will a mad hacker, how he can do it ?
only intruse the system first, we will detect it.
SnaiL:
What is the way to make change to the log files ?
SnaiL:
))
Phiphu2002:
some one can easily makes some changes to the application in order to produce
the wrong log, and for expamle in the case of my computer i can harvest log
from windows only, but the intruder can intrude from other application (ex:
from a vunelability of yahoomessenger)
SnaiL:
not connect, collect... mistake
SnaiL:
But agent will connect only well known logs with modules. On module per
application.
Phiphu2002:
it is not real raw data
Phiphu2002:
i means that it is a real raw data
SnaiL:
Sure we need to trust application vendors It is only way to integrate with
them.
SnaiL:
To detect inclusions we need to analyze applications log files. To do that we
need to have that logs. To get it we need to communicate with agent. nothing
more.
Phiphu2002:
so we have to trust the application vendor in producing log
SnaiL:
yeah!
Phiphu2002:
and the main function of the agent is covering log from local applications, is
that true?
SnaiL:
No because of resources-economy, client (audited machine with agent) may not do
anything, but server is very powerful, it will decompress archived raw data and
parse it.
Phiphu2002:
does agent need to pre-process the raw data in a simple way (ex: simple
parttern searching, or simple data sorting)?
SnaiL:
I know. To transfer it to server we also need to compress it.
Phiphu2002:
that's fine
SnaiL:
log file where log format not changed, as application wrote it keep it
original.
Phiphu2002:
what is the raw data look like?
SnaiL:
Agent should be a solution to get raw data (logs in original format) from
machine where this agent installed (applications isntalled on that machine).
Phiphu2002:
it is not a stranger question, because from the server functions and the
information types are transfered we can inffer the what the agent should be
SnaiL:
Any things?
SnaiL:
Oh, it is a separated topic. We need to desing communication standard. In my
glance:
1) provide server with information about what modules isntalled on
the agent.
2) provide server with ability to install/deinstall agents remotely
(for example from management console)
3) provide server with ability to
execute modules (collect raw data) and send a result of that work
Phiphu2002:
in the case of the direction from server to client, how many types of
information should be transfer, as for you?
SnaiL:
As concerns DCOM, we need to ensure our supposition thet DCOM can use our DDLs
in order to provide communications with agent only when we need it.
As
concerns view - no, we need to parse raw logs from agent to integrated format,
apply filters and show it for administrators, highlight dangerous events etc.
Phiphu2002:
but you said that "a server, view and one agent per machine.". is server
function viewing the agent log only?
Phiphu2002:
of course
SnaiL:
yes. Look at the enterprise infrastructure. We have a hungred more machines we
want to audit (audit - monitor for inclusions). In this case the best solution
is to have a server, view and one agent per machine.
Phiphu2002:
a host-based IDS plus some other functions
Phiphu2002:
so it is similar to host-based IDS, isnt it?
SnaiL:
No. We need to use one agent per machine. The agent must to have a plugable
architecture for each event source.
Phiphu2002:
and the other drawback is that if the number of agents increase and become to
large, the controling mission is not easy
Phiphu2002:
that's true
SnaiL:
But if we have alive server, always runned, we can let have to attacker more
ways to attack.
SnaiL:
this case is not concerns DCOM applications. for example we have connected
agent, communication is alive, attacker can deny communication with firewall
and connection will be lost.
Phiphu2002:
at that case if the attacker try to separate the communication between you and
the agent, then they can make the agent be invalue
SnaiL:
BTW, yet another server increases risk.
SnaiL:
yes
Phiphu2002:
if we can not communicate with the agent, then they do not work, dont they?
SnaiL:
ok. my solution for windows is to NOT WRITE SERVICE, just write DCOM
applications. When we will need to call some agent functionality, DCOM will
load our DLL and call needed functions.
Phiphu2002:
it is similar to my opinion in the forum
SnaiL:
something like this
Phiphu2002:
you mean that?
Phiphu2002:
i understand that, it is an stand alone agent?
SnaiL:
ok. just try. I think, first of all we need to examine agent without servers.
for exanple, use SSH to execute some programs remotely.
Phiphu2002:
yes
SnaiL:
can you discuss windows agent architecture with me now?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
This topic isnt really relevant yet, what we are proposing is that we need to work with the agents as single entities now, then will apply them to the arquitecture and then made them as mobile agents as shyaam recommended. Plz reply with your opinion.
What is clear now is that we are going to start with the test agents immediatly, we dont want to wait any more time.
(10:34:07) g3nmx: dont you think that with mobile agents the problem of the rpc is solved?
(10:34:59) phiphu2002: i have no comment, now
(10:35:14) g3nmx: or do you want to continue with the idea of a server, and in each machine a monitor (snail called it the agent) and in that monitor agents reporting (snail: plugins of the agent)
(10:37:51) g3nmx: i just wanted to clarify that what snail proposed was the first arquitecture we have, remember it?
(10:37:52) phiphu2002: i want that way now, and i want mobile agent for the future
(10:38:00) phiphu2002: yes
(10:38:21) phiphu2002: that;s true
(10:39:42) g3nmx: ok, then we should think about implementing only the agents that will communicate locally to the monitors (and maybe after some research communicate with the monitor from a different machine to avoid breaking points)
(10:40:25) phiphu2002: ok
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi all,
This is Shyaam here. I am designing the Structure of Security provided for templario. please donot use any preexisting ones. Donot use OS related structre. I shall send the design this weekend and I shall also send the code for some parts.
Thank you
Shyaam
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Let the work start and then the design can be changed. I shall be listing one possible security design tommorow. But still it is not needed at this stage. As according to Mr.vlazarenko, Mr.Omael and Mr.Phiphu let the project start with Mr.vlazarenko idea and let me tune the project towards security. i think that it would be a better idea as already as Phi told me in chat, U guys have come to an agreement on the design. So please start the work and lets take the lead.
Thank you
Kind regards
Shyaam
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi, team. For now I want to get your opinions about security agent. What is your vision of this part of IDS? Is it service/daemon or other tools? What communications you want to use? etc. will start discussion based on your opinions. Feel free to keep part in discussion.
Hi all,
I think the agent shoult be like a simple IDS. If we choose this way we can gain 3 advantages:
1. We can start programming now. Because it is a simple IDS, it independ on other parts.
2. If for the unknown reason we have to stop the project, in the case of Agent is finished, it can be used by others for further for other purpose (continue developing, implementing ...). And it is still valuable.
3. We can add in Agent some thing like plugins, so the Agent will have dinamic function.
The communication for the agents need more attention i dont think its the time to check it, because in order to do so we need to know with what it'll be communicated, this is other independent agents, a monitor, or a monitor for mobile agents. BTW, i think with mobile agents of with single agents only reporting to a higher entity will be the best, and if this is so it could be done in encrypted TCP/IP or maybe it should detect if it needs an IPCS methos and switch to it if necesary. Personally i prefer encrypted TCP/IP.
Could someone post pros and cons about Mobile Agents and Static Agents?
We will develop the dynamic Agent (as for shyaam's comment),
And the coding scenario is like:
( My thinking: mobile Agent = static Agent + some specially extended functions. So we can build the static version first and then add more functions to make it be dynamic)
+I and Omael and Vladislav and others focus on static
+Shyaam (and others if needed) keep track our coding proccess in order to make the Agent can be added more dynamic functions in the future.
SnaiL:
ok. I will do it.
Phiphu2002:
it is better
SnaiL:
Ok. Maybe it is better to post all our discussion ?
SnaiL:
I will ba back momentarily
SnaiL:
Fucked Windows, I need to reboot again. ) Sorry
Phiphu2002:
yes, i thank, and can you post your thinking to the forum?
SnaiL:
sure, for now we need to implement base ideas.
Phiphu2002:
i think we can leave them for the futher extention, could we do that?
SnaiL:
For now - here. BTW, while rebooting my hadgry mind start thinking. As concerns
libpcap, traffic monitoring etc. There are a set of good tools to monitor
network and detect traffic usage. If you know some technologies to detect
trojan works on machine by analizing traffic, we can integrate our IDS with
thet tools and apply some filter.
Phiphu2002:
for the agent?
Phiphu2002:
we declare a conslusion, here?
Phiphu2002:
Phiphu2002:
ok, so now we should declare and conclusion.
SnaiL:
I don't think so. I am working on commerical IDS and know a couple of the same
packages. It is all closed-source, old-technologied etc,
Phiphu2002:
but it is true that so many information source today, so we do not need to
contribute the other one.
SnaiL:
I need to go, but shall be back in a 5 minutes.
SnaiL:
I think firewall is required in all enterprise stations, on all computers in
the company etc.
Phiphu2002:
oh, you did not say that we build the agent over a strong pc with personal
firewall
SnaiL:
you can't analyze enterprise intrusions with libpcap... BTW, libpcap is too
slow and not so powerfull. Using pcap will increase performance!
SnaiL:
libpcap is a small solution to detect network tcp/udp attacks for example...
But better is to use firewall, analyze firewall logs. If firewall will be
corrupted - report it. Otherwise it will not allow hacker to access system.
Phiphu2002:
application log and libpcap.
Phiphu2002:
it is not my meaning, i would like to combine two solutions.
SnaiL:
analyze all network packets, detect mail packets, collect all of them together
and analyze with email antivirus?
SnaiL:
For example I will got a viruse on my Windows machine by email. How you can
detect it with libpcap?
SnaiL:
Oh, it is not a solution at all.
Phiphu2002:
capture it on the network interface
Phiphu2002:
capture it
Phiphu2002:
means libcap it
SnaiL:
what does it mean harvest data on the system interface?
Phiphu2002:
We harvest the raw data on the system interface.
SnaiL:
BTW, could you provide me with best solution how we can detect intrusion to the
application withoud log analyze?
SnaiL:
for example send SMS to the system administrator
SnaiL:
Oh oh .. I know your question, he can attack machine, make intrusion and
momentarely change logs, delete it etc. For this purpose we will use real-time
event-source. The solution for unix is write module to syslog and momentarily
notify IDS system with intrusion information.
Phiphu2002:
i can only change the syslog configuration file
Phiphu2002:
very easy in linux or unix
SnaiL:
You will do that ? Or a mad hacker? If it will a mad hacker, how he can do it ?
only intruse the system first, we will detect it.
SnaiL:
What is the way to make change to the log files ?
SnaiL:
))
Phiphu2002:
some one can easily makes some changes to the application in order to produce
the wrong log, and for expamle in the case of my computer i can harvest log
from windows only, but the intruder can intrude from other application (ex:
from a vunelability of yahoomessenger)
SnaiL:
not connect, collect... mistake
SnaiL:
But agent will connect only well known logs with modules. On module per
application.
Phiphu2002:
it is not real raw data
Phiphu2002:
i means that it is a real raw data
SnaiL:
Sure we need to trust application vendors It is only way to integrate with
them.
SnaiL:
To detect inclusions we need to analyze applications log files. To do that we
need to have that logs. To get it we need to communicate with agent. nothing
more.
Phiphu2002:
so we have to trust the application vendor in producing log
SnaiL:
yeah!
Phiphu2002:
and the main function of the agent is covering log from local applications, is
that true?
SnaiL:
No because of resources-economy, client (audited machine with agent) may not do
anything, but server is very powerful, it will decompress archived raw data and
parse it.
Phiphu2002:
does agent need to pre-process the raw data in a simple way (ex: simple
parttern searching, or simple data sorting)?
SnaiL:
I know. To transfer it to server we also need to compress it.
Phiphu2002:
that's fine
SnaiL:
log file where log format not changed, as application wrote it keep it
original.
Phiphu2002:
what is the raw data look like?
SnaiL:
Agent should be a solution to get raw data (logs in original format) from
machine where this agent installed (applications isntalled on that machine).
Phiphu2002:
it is not a stranger question, because from the server functions and the
information types are transfered we can inffer the what the agent should be
SnaiL:
Any things?
SnaiL:
Oh, it is a separated topic. We need to desing communication standard. In my
glance:
1) provide server with information about what modules isntalled on
the agent.
2) provide server with ability to install/deinstall agents remotely
(for example from management console)
3) provide server with ability to
execute modules (collect raw data) and send a result of that work
Phiphu2002:
in the case of the direction from server to client, how many types of
information should be transfer, as for you?
SnaiL:
As concerns DCOM, we need to ensure our supposition thet DCOM can use our DDLs
in order to provide communications with agent only when we need it.
As
concerns view - no, we need to parse raw logs from agent to integrated format,
apply filters and show it for administrators, highlight dangerous events etc.
Phiphu2002:
but you said that "a server, view and one agent per machine.". is server
function viewing the agent log only?
Phiphu2002:
of course
SnaiL:
yes. Look at the enterprise infrastructure. We have a hungred more machines we
want to audit (audit - monitor for inclusions). In this case the best solution
is to have a server, view and one agent per machine.
Phiphu2002:
a host-based IDS plus some other functions
Phiphu2002:
so it is similar to host-based IDS, isnt it?
SnaiL:
No. We need to use one agent per machine. The agent must to have a plugable
architecture for each event source.
Phiphu2002:
and the other drawback is that if the number of agents increase and become to
large, the controling mission is not easy
Phiphu2002:
that's true
SnaiL:
But if we have alive server, always runned, we can let have to attacker more
ways to attack.
SnaiL:
this case is not concerns DCOM applications. for example we have connected
agent, communication is alive, attacker can deny communication with firewall
and connection will be lost.
Phiphu2002:
at that case if the attacker try to separate the communication between you and
the agent, then they can make the agent be invalue
SnaiL:
BTW, yet another server increases risk.
SnaiL:
yes
Phiphu2002:
if we can not communicate with the agent, then they do not work, dont they?
SnaiL:
ok. my solution for windows is to NOT WRITE SERVICE, just write DCOM
applications. When we will need to call some agent functionality, DCOM will
load our DLL and call needed functions.
Phiphu2002:
it is similar to my opinion in the forum
SnaiL:
something like this
Phiphu2002:
you mean that?
Phiphu2002:
i understand that, it is an stand alone agent?
SnaiL:
ok. just try. I think, first of all we need to examine agent without servers.
for exanple, use SSH to execute some programs remotely.
Phiphu2002:
yes
SnaiL:
can you discuss windows agent architecture with me now?
This topic isnt really relevant yet, what we are proposing is that we need to work with the agents as single entities now, then will apply them to the arquitecture and then made them as mobile agents as shyaam recommended. Plz reply with your opinion.
What is clear now is that we are going to start with the test agents immediatly, we dont want to wait any more time.
(10:34:07) g3nmx: dont you think that with mobile agents the problem of the rpc is solved?
(10:34:59) phiphu2002: i have no comment, now
(10:35:14) g3nmx: or do you want to continue with the idea of a server, and in each machine a monitor (snail called it the agent) and in that monitor agents reporting (snail: plugins of the agent)
(10:37:51) g3nmx: i just wanted to clarify that what snail proposed was the first arquitecture we have, remember it?
(10:37:52) phiphu2002: i want that way now, and i want mobile agent for the future
(10:38:00) phiphu2002: yes
(10:38:21) phiphu2002: that;s true
(10:39:42) g3nmx: ok, then we should think about implementing only the agents that will communicate locally to the monitors (and maybe after some research communicate with the monitor from a different machine to avoid breaking points)
(10:40:25) phiphu2002: ok
Hi all,
This is Shyaam here. I am designing the Structure of Security provided for templario. please donot use any preexisting ones. Donot use OS related structre. I shall send the design this weekend and I shall also send the code for some parts.
Thank you
Shyaam
Let the work start and then the design can be changed. I shall be listing one possible security design tommorow. But still it is not needed at this stage. As according to Mr.vlazarenko, Mr.Omael and Mr.Phiphu let the project start with Mr.vlazarenko idea and let me tune the project towards security. i think that it would be a better idea as already as Phi told me in chat, U guys have come to an agreement on the design. So please start the work and lets take the lead.
Thank you
Kind regards
Shyaam