Intrusion Detection Scripts

This web page is for the purpose of describing a simple set of intrusion detection scripts I wrote. These scripts are available for use under the GNU Public License. The current version (1.0) is thoroughly tested under Solaris 8 (both SPARC and x86). The scripts are fairly simple, and easy to adjust to a specific installation. Any information on other platforms that the scripts do, or don't work on, or information on modifications to allow it to work on another platform, should be E-mailed to ashford@accs.com. These scripts are available here.

I call these intrusion detection scripts Axe Handle. There are several reasons for this. First of all, it functions like an axe handle leaning against a door. When the door is opened, the axe handle makes a noise to alert you. Also, the purpose of the scripts is to give a system administrator a handle on the status of intrusions. Finally, the word axe is pronounced similarly to the way I pronounce the web address of www.accs.com, which is where you probably found this.

 

---------------

 
Purchase Policies Contact ACCS Aout ACCS Home Papers & Projects Services Products

Goals

The Axe Handle software is designed to be able to detect intrusions into a system. It does this by analyzing specific files, and the network status, on the system. If an intrusion doesn't cause any of these files to be changed, then Axe Handle will not detect them.

Methods

The Axe Handle software uses various methods to determine if an intrusion has occurred, as follows:
  1. Axe Handle lists the currently installed packages, and the currently applied patches.
  2. Axe Handle checks for network listens. Typically, a listen is posted when a network service comes on-line. By monitoring the listens that are currently posted, Axe Handle provides information on the network services that are currently in use. When the listens change, it is an indication that the network services may have changed. This is the fastest and easiest way to locate newly installed back doors.
  3. Axe Handle performs an integrity check of all installed packages. This will provide information on the status of all software that was installed as a package.
  4. Axe Handle scans the files specified in it's configuration file. As part of this scan, it also scans itself, and it's configuration files.

Results

The results of an Axe Handle scan are sent out, via E-mail, to the specified accounts. They are also saved in log files (one per month) for an indefinite period of time.

Future

This set of scripts was just to prove that the task could be done. The future for these scripts is unknown. The list of features to be added is significant, but the most important would be to get it to work on other versions of Solaris.

If you have any comments or suggestions, please E-mail webmaster@accs.com

© 2004 - Ashford Computer Consulting Service