host-based intrusion detection based on running processes? - Security

This is a discussion on host-based intrusion detection based on running processes? - Security ; Hi all, does anyone know software that can do host-based intrusion detection looking at which processes are running? I would like to detect for example when user httpd has processes running except from cgi-bin, or when a process is listening ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: host-based intrusion detection based on running processes?

  1. host-based intrusion detection based on running processes?

    Hi all,

    does anyone know software that can do host-based intrusion detection
    looking at which processes are running? I would like to detect for example
    when user httpd has processes running except from cgi-bin, or when a
    process is listening on a (previously closed) port, or when a certain user
    owns a large number of processes...

    I know that the first thing a hacked does is disabling this check, but
    inbetween the hacker starting to hack, and getting root access, is usually
    some time, and I hope to get a report in that time.

    regards,
    Olivier


  2. Re: host-based intrusion detection based on running processes?

    Olivier Sessink (06-03-18 23:41:32):

    > does anyone know software that can do host-based intrusion detection
    > looking at which processes are running? I would like to detect for
    > example when user httpd has processes running except from cgi-bin, or
    > when a process is listening on a (previously closed) port, or when a
    > certain user owns a large number of processes...
    >
    > I know that the first thing a hacked does is disabling this check, but
    > inbetween the hacker starting to hack, and getting root access, is
    > usually some time, and I hope to get a report in that time.


    Grsecurity has a system auditing feature
    with which you can log almost anything like processes run. You can then
    'tail -f' on the log-file and process the output with a script or
    something.


    Regards.

+ Reply to Thread