GitHub - csjayp/bsmtrace: BSM based intrusion detection system

Branches Tags

Name		Name	Last commit message	Last commit date
Latest commit History 23 Commits
HISTORY		HISTORY
Makefile		Makefile
README		README
TODO		TODO
bsm.c		bsm.c
bsm.h		bsm.h
bsmtrace.1		bsmtrace.1
bsmtrace.c		bsmtrace.c
bsmtrace.conf		bsmtrace.conf
bsmtrace.conf.5		bsmtrace.conf.5
bsmtrace.ebnf		bsmtrace.ebnf
bsmtrace.h		bsmtrace.h
conf.c		conf.c
conf.h		conf.h
config.h		config.h
deuce.h		deuce.h
fcache.c		fcache.c
fcache.h		fcache.h
grammar.y		grammar.y
includes.h		includes.h
log.c		log.c
log.h		log.h
pipe.c		pipe.c
pipe.h		pipe.h
queue.h		queue.h
token.l		token.l
trigger.c		trigger.c
trigger.h		trigger.h

Repository files navigation

BSMtrace 1.0

  Introduction

BSMtrace is a utility that processes audit trails, or real-time audit feeds
provided by audit pipes.  It loads a set of finite state machines or sequences
from the supplied configuration file and watches the audit streams for instances
of these sequences.  For more information, the example bsmtrace.conf file should
be reviewed.

The underlying premise behind bsmtrace is that the user can specify sequences of
events that are common after or during system compromise.  These might include
things like:

- A subject having 50 failed, then one successful login over the course of a
  week.  Something you might expect to find during an SSH brute force.
- User "nobody" creating files outside of /usr/local/www
- User "nobody" executing administrative utilities, or utilities like id(1)
  to determine which level of privilege has been acquired

- Detect the execution of common shellcode where certain sequences don't
  normally appear, for example, the typical execution pattern of bind when it
  services a DNS request might be:

  [1] recvmsg(2)
  [2] sendmsg(2)

  [1] recvmsg(2)
  [2] sendmsg(2)

  .
  .
  .

  When the return address of the stack is over-written during a buffer overflow
  attack, the execution pattern of the process will change, resulting in the
  execution of system calls outside it's regular sequence:

  [1] recvmsg
      o buffer overflow is exploited, and now the execution pattern might look
        something like this:
  [2] socket
  [3] bind
  [4] listen
  [5] accept
  [6] dup2
  [7] exec

- Users or groups of users executing utilities, looking at (or attempting) files
  they shouldn't be.

Because bsmtrace acquires it's information from the audit stream, we can be
reasonably certain that we can trust the data.  Unlike syslog, the BSM audit
framework targets Commmon Criteria (CC) requirements, to help ensure that the
audit trail is robust, protected and maintains high levels of integrity.

For more information on the security auditing framework see:

  http://www.TrustedBSD.org/

A complete EBNF specification (bsmtrace.ebnf) for the policy configuration
engine has been included with this source code archive.

  Building

Currently, we BSMtrace is built using a basic Makefile. As more platforms are
supported, this might change.

    make

To install:

    make install

  Credits

The following organizations and individuals have contributed substantially to
the development of BSMtrace (in alphabetical order):

    Aaron L. Meihm
    Christian S.J. Peron
    Seccuris Labs

The following people have contributed to the project with the contribution
noted:

    Mak Kolybabi (EBNF specification, PCRE for pathnames, man pages)

  Bugs

Please report any bugs or comments to:

    [email protected]
    [email protected]