Forum OpenACS Development: Adding an IDS (Intrusion Detection System) to OpenACS
Perimeter defense is dead. We have to assume that our systems are infiltrated. Instead, we might be able to check that there was a breach...
]project-open[ already contains a - kind of - intrusion detection system that sends out alert messages if certain argument validation checks fail (before util_memoize usually...).
However, reading stuff about anomaly based IDS (https://en.wikipedia.org/wiki/Anomaly-based_intrusion_detection_system), I got the idea that it should be very easy to add a bit more.
So I went ahead and modified db_exec in /acs-tcl/00-database-procs.tcl to keep track of the SQLs issued per user. The resulting vector (SQL name -> frequency) can easily be checked to be "reasonable" (not implemented yet).
There are multiple points now:
- @OpenACS maintainers: Would it be OK to add a callback or something similar in db_exec?
- @OpenACS maintainers: Would it be OK to add a similar callback to argument violations of ad_page_contract?
- It might also be interesting to get the number of rows returned by each query. But I'm afraid this will add too much overhead. Any ideas?
- Any ideas on how to build "honeypots" into OpenACS/]po[? Honeypots and IDS currently seem to be the only security measures that work...
There is a lot of discussion and public interest in this area. I believe that could be a great paper on some security conference etc. Maybe somebody would want to write this paper together with us?