Attack and agent ideas
----------------------

 ======================================================================
 This file is Copyright 1998,1999 by the Purdue Research Foundation and
 may only be used under license.  For terms of the license, see the
 file named COPYRIGHT included with this software release.
 AAFID is a trademark of the Purdue Research Foundation.
 All rights reserved.
 ======================================================================


This document contains some attacks that might be tried against a
system that we would like to detect, and for each one of them, the
things that have to be monitored. Each one of these things can be made
into an agent.


- Denial of service attack by consuming large amounts of CPU
  * CPU load (from uptime, for example) (DONE- CPUload agent)

- SYN flooding
  * Average number of half-open connections (from netstat)
    (DONE- SYNflood agent)

- Attempts to guess the root password by repeatedly using su
  * Repeated executions of the su command (SU agent)

- Doorknob rattling
  * Repeated frequent telnet or rlogin connections from the same host
    (from tcp-wrappers) (DONE- ConnSameHost agent)
  * One- or two-shot failed telnet or rlogin attempts (this is, a
    telnet connection that tries one or two passwords, then logs out).
    This is not possible to detect without extra tools.
  * Short-lived telnet or rlogin connections.
    This is also not possible to detect without extra tools.
  * Multiple-login-failure messages from the system (LoginFailures
    agent) (DONE)

- Port scanning
  * Connections to a lot of different ports from the same host in a
    short period of time (from tcp-wrappers). (DONE- kind of -
    ConnSameHost agent)
  * Open a server on a weird port and listen for connections.
    (DONE- WeirdConn agent)

- Denial of service by filling /tmp
  * Monitor disk usage (df) (DONE- SpaceTmp agent)

- Denial of service by filling memory
  * Monitor memory usage (ps or top)

- Modification to /etc/passwd
  * Monitor for changes in /etc/passwd.

- Sniffer running on the system
  * Check for network interface in promiscuous mode.

- Root impersonation
  * Presence of interactive root shells (ps, Fproc filter)
  * Direct logins to root (lastlog).
