Intrusion Detection Scripts
This web page is for the purpose of describing a simple set of intrusion
detection scripts I wrote. These scripts are available for use under the
GNU Public License.
The current version (1.0) is thoroughly tested under Solaris 8 (both SPARC
and x86). The scripts are fairly simple, and easy to adjust to a specific
installation. Any information on other platforms that the scripts do,
or don't work on, or information on modifications to allow it to work
on another platform, should be E-mailed to firstname.lastname@example.org.
These scripts are available here.
I call these intrusion detection scripts Axe Handle. There are
several reasons for this. First of all, it functions like an axe handle
leaning against a door. When the door is opened, the axe handle makes
a noise to alert you. Also, the purpose of the scripts is to give a system
administrator a handle on the status of intrusions. Finally, the word
axe is pronounced similarly to the way I pronounce the web address
of www.accs.com, which is where you probably found this.
The Axe Handle software is designed to be able to detect intrusions
into a system. It does this by analyzing specific files, and the network
status, on the system. If an intrusion doesn't cause any of these files
to be changed, then Axe Handle will not detect them.
The Axe Handle software uses various methods to determine if an intrusion
has occurred, as follows:
- Axe Handle lists the currently installed packages, and the
currently applied patches.
- Axe Handle checks for network listens. Typically, a listen
is posted when a network service comes on-line. By monitoring the listens
that are currently posted, Axe Handle provides information on the network
services that are currently in use. When the listens change, it is
an indication that the network services may have changed. This is the fastest
and easiest way to locate newly installed back doors.
- Axe Handle performs an integrity check of all installed packages.
This will provide information on the status of all software that was installed
as a package.
- Axe Handle scans the files specified in it's configuration file.
As part of this scan, it also scans itself, and it's configuration files.
The results of an Axe Handle scan are sent out, via E-mail, to the
specified accounts. They are also saved in log files (one per month) for an indefinite
period of time.
This set of scripts was just to prove that the task could be done. The future
for these scripts is unknown. The list of features to be added is significant,
but the most important would be to get it to work on other versions of Solaris.
If you have any comments
or suggestions, please E-mail email@example.com
- Ashford Computer Consulting Service