AstroCam
cchttpd
creategallery
DRSysMon
FluxBat
FUPIDS
Hardened Linux
HL Hardening Scripts
HL pkgtools
KSPIDS
Korallenriff
libcmle
\-Documentation
libWDCS
openportd
phcct
vstt
WendzelNNTPd
\-Documentation
\-In your Company?
XyriaDNSd
\-Documentation

FUPIDS (version 1) Overview

||| Current release: ---, Current SVN/CVS version: 0.0.4-2003 |||

FUPIDS stands for Fuzzy Userprofile Intrusion Detection System. It's a kernelcode patch for OpenBSD systems that creates a profile for every user and alerts the admin if an attacker is detected. In this case, an attacker is someone who overtakes the account of an user and/or does some things, an admin doesn't like (like sniffing in his net). I hacked its code in Nov-2003.

The project was heavily discussed and received lots of criticism. It has both, its advantages (one should see it as a proof-of-concept code) and its disadvantages (user monitoring, fuzzy data, lots of false-positives).

You can find the announcement mail here. The first public version was released with this mail on Tue, 11 Nov 2003 18:44:57 +0100.

deadly.org article (now undeadly.org)

slashdot.org article

Features

Here is a list of FUPIDS' features:

FUPIDS calculates an "attacker level" for every user (with uid >= 1000) on your system. It will alert you via syslog if the attacker levels becomes too high.
FUPIDS has a profile of used programms for every user. If an user uses to many new programms in a short time, the attacker level raise. this is because an attacker could overtake the account of this user and now uses some new compiled exploits or an editor the normal user never starts.
FUPIDS reports if your network interfaces (not pflog0 and lo[01]) are going in promiscuous mode (this is calculated in the attacker level too).
fupids watches the listen() syscall and will tell you if an user creates a new listen socket (maybe a backdoor).
if an user who never did anything before (for example 'uucp') now is active on your system, fupids will notice and report it.
an attacker cannot kill the fupids process because it's kernel code. (he can also not unload a lkm because its directly implemented in the kernel-code).
your users doesn't know that there is running some fupids code on the system

Documentation

You can find a README file in the .tgz archive and you can find the official documentation I wrote for this project in the list of my publications.

Download

You can download FUPIDS 0.0.4 from freshmeat.net. Just follow the introductions of the 'INSTALL' file to install it. I don't know if FUPIDS will run on current OpenBSD kernels. I developed it for OpenBSD 3.3. However, it should be possibly to hack it in the current kernel if you have enough skills ;-)

Current Books

Einstieg in Linux

Linux

Linux. Das umfassende Handbuch