Hi there..
as things are ready to explode again, here's
a thought... (tataaa!! *smile*)
How about putting together a distributed IDS system
based on trinux (with snort plus perl scripts)?
Here's what I'd imagine:
<story>
Somewhere within company A a network starts to seriously
act up.. "What's going on?", thinks our security person
and asks a fellow colleague to feed some laptop with
the trinux floppy set he mailed him a few weeks ago..
After booting up the trinux box will scan the local network
and try to do a profiling of its environment, configure
itself a snort ruleset and starts gathering data with snort
(http://www.clark.net/~roesch/security.html - now with strikeback
and database support!).
Our sensor will send back its data (encryptedly) to a management
server (on security person's desktop) using either encrypted mail
or ssh..
Alternatively: Our sensor will log its data to a local hard drive..
Would be nice if our security person could log into the sensor
using ssh and change things to his liking.. =)
(We might assume that the fellow colleague is an NT guy and has
no clue about Unix..)
</story>
What would we need in Trinux?
- an updated snort package
- some perl scripts to do the environment profiling,
to send data around and such..
- nmap (we have that one, need it for the profiling)
- a sshd package (preferably the OpenSSH server [*free!*])
(alternatively, stunnel.. [there's actually a stunnel package])
- a .. *cough*.. pcmcia package for glibc
....what else?
Does anyone else feel that this is a worthwile idea?
Would someone like to take the helm?
Stefan
-------
Matthew, what should the development plattform look like?
(How can I get a RedHat 6.0 to fit to these requirements?)
[EMAIL PROTECTED] wrote:
>
> For those of you that have been wondering...
>
> Trinux was never dead, only in a coma. It is finally beginning to stir.
>
> The Trinux development team has relocated to Austin and had a strategic
> planning meeting yesterday at the local pho-house. The lab is nearly
> operational. All I need now is a fresh box o' floppies. Look for things
> to start heating up again. There is a lot of catching up to do.
>
> -mdf
>
> *_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*
>
> For version 0.6x
> ----------------
>
> Updated packages:
> - Nmap 2.3beta14
> - Ngrep 1.37
>
> New Packages:
> - Zombie Zapper (FYI: Simple Nomad rulez...)
> - Nstreams 0.99.3 (so does Renaud D... of Nessus fame)
>
> ftp://ftp.trinux.org/pub/trinux/packages/latest/
>
> I have not tested these yet, I'm assuming my build scripts still work ;)
>
> If there are any other cool tools besides etherape that you are dying to
> see, drop me a note.
>
> And if there is anyone in the Austin/Central Texas area that might be
> interested in getting involved, let me know.
>
> -mdf
>
> ------------------------------------------------------------------------------------
> www.trinux.org hosted by The Vnode Connector Services
> www.vnode.com *** Special Discounts For Trinux Users
> *** Email [EMAIL PROTECTED]
> ------------------------------------------------------------------------------------
------------------------------------------------------------------------------------
www.trinux.org hosted by The Vnode Connector Services
www.vnode.com *** Special Discounts For Trinux Users
*** Email [EMAIL PROTECTED]
------------------------------------------------------------------------------------
