OpenBSD Journal

Fuzzy user profile intrusion detection system

Contributed by jose on from the new-IDS dept.

Steffen Wendzel has been busy working on a new host based IDS engine for OpenBSD. Dubbed "fupids", fuzzy user profile intrusion detection system attempts to model a user's behavior and detect deviations from that. The project is described in the announcement mail :
fupids creates profiles for every user who does an execve() syscall on obsd systems. it isn't complete at the moment (see last section of this mail) but i just would see if there is an interest from the developers to include some code like this.
The project is coming along and has some overlap with systrace , but it could be a neat way to learn about host based IDS implementations. If this is your thing, this may be worth checking out.

(Comments are closed)

  1. By Anonymous Coward () on

    I am glad he has removed all the fp code from the project, but still am not convinced this will work as expected.

  2. By brian () on

    i suffered p0f & systrace, but this will be the last straw. i expect the developers to act wisely for once and not include that shit.

    1. By Cr0N1C () on

      I second that motion!!! This is idea is kind of like communism. It sounds really good and theoretically it works, but in practice I would be afraid of the results. I think it would just be another thing for a skilled attacker to take advantage of. We all know that their kind are the only ones that ever get anywhere near an OBSD box.

      1. By Anonymous Coward () on

        This is idea is kind of like communism.

        really ? cool !

        Do you think I have this in my kernel and then do a full rebuild of the system and not be flagged as an attacker ?

    2. By sicon () on

      The code needs to be completely rewritten, but if you ask me, I feel it is a great idea, if it can be configured like systrace, to watch for specific calls and the sort.

    3. By gwyllion () on

      Clearly you haven't read the response on tech@: tedu@ didn't like it that much. I'm 100% certain it will not be included.

      1. By sicon () on

        I never said it should be included with the system, but as a side optional package I think it can be very useful in environments such as honeynets. I agree that it will just be another tool for a skilled attacker to use against the system, but nevertheless, the way we get where we are is by testing out new ideas, and either they work or they dont, so you can not blame the guy for trying.


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]