Comments for Allan Jude - Network Engineer & Security Analyst http://www.lockergnome.com/allanjude Important Information of Security Mon, 09 Nov 2009 11:10:33 +0000 http://wordpress.org/?v=2.6.1 Comment on Bacula as a Host Based Intrusion Detection System by Allan Jude http://www.lockergnome.com/allanjude/2007/12/22/bacula-as-a-host-based-ids/#comment-13 Allan Jude Mon, 07 Jan 2008 02:57:41 +0000 http://www.lockergnome.com/allanjude/2007/12/22/bacula-as-a-host-based-ids/#comment-13 The point of this essay is that Bacula has advantages, and no disadvantages compared to something like tripwire. If the malware filters the I/O, then it is not going to be picked up by any other IDS or Scanner either. But yes, the point is that Bacula has this little used feature, and it is really only an additional advantage, not a core feature. The point of this essay is that Bacula has advantages, and no disadvantages compared to something like tripwire. If the malware filters the I/O, then it is not going to be picked up by any other IDS or Scanner either.

But yes, the point is that Bacula has this little used feature, and it is really only an additional advantage, not a core feature.

]]> Comment on Bacula as a Host Based Intrusion Detection System by Aryeh Goretsky http://www.lockergnome.com/allanjude/2007/12/22/bacula-as-a-host-based-ids/#comment-9 Aryeh Goretsky Sun, 23 Dec 2007 10:51:40 +0000 http://www.lockergnome.com/allanjude/2007/12/22/bacula-as-a-host-based-ids/#comment-9 Hello, Using the file verification functionality of a backup program as an IDS to check for the changes made by malware is a novel use of the program, but doesn't it presuppose that the intrusion was either (1) affected by modifying existing files on the client; and (2) that the malware not filtering file I/O requests to strip copies of itself out of modified files to present a "clean" copy of them during the verification process? I am unfamiliar with the Linux side of things, but on the Windows side, this can be done without having to patch any of the core operating system files by implementing a device driver or device driver-like functionality within the malware. While it is conceptually a good idea and has little to no implementation costs—after all, who doesn't regularly verify their backups and look at the logs—it seems to me this is more of a complementary layer of protection to other security mechanisms. Regards, Aryeh Goretsky Hello,

Using the file verification functionality of a backup program as an IDS to check for the changes made by malware is a novel use of the program, but doesn’t it presuppose that the intrusion was either (1) affected by modifying existing files on the client; and (2) that the malware not filtering file I/O requests to strip copies of itself out of modified files to present a “clean” copy of them during the verification process?

I am unfamiliar with the Linux side of things, but on the Windows side, this can be done without having to patch any of the core operating system files by implementing a device driver or device driver-like functionality within the malware.

While it is conceptually a good idea and has little to no implementation costs—after all, who doesn’t regularly verify their backups and look at the logs—it seems to me this is more of a complementary layer of protection to other security mechanisms.

Regards,

Aryeh Goretsky

]]>