I recently started using the hardened-dev-sources in gentoo's portage and grsecurity has a cool feature to track ip addresses. There used to be an open-source python program called HostSentry that was developed by Psionic. Psionic was bought by Cisco and the package disappeared. After moving to these kernels I started thinking about HostSentry and how instead of watching wtmp, one could do trend analysis and alerting based upon /proc. Now with additional information such as the ipaddress, I've been thinking of a way to store process info in a table and then write a program to analyze the current activity vrs the previous activity and send alerts based upon it.
I've prototyped the data gathering tool in php, I call it "processripper" and it goes through /proc and extracts the data that could be useful and shoves it in a PostgreSQL table. The next step will to write a tool that builds some trend data, and then determines what kind of alerts to send.
I'm thinking a web interface showing trend analysis would be cool at some point too... Stuff like what user uses most of your cpu time, or what applications run the most processes on an ongoing basis.a Anyway, just thought I would throw that out there. Once I get something working I'll put it in the ehpg cvs.
Security Tool
Posted on April 12, 2005
