host-based intrusion detection based on running processes?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Hi all,

does anyone know software that can do host-based intrusion detection
looking at which processes are running? I would like to detect for example
when user httpd has processes running except from cgi-bin, or when a
process is listening on a (previously closed) port, or when a certain user
owns a large number of processes...

I know that the first thing a hacked does is disabling this check, but
inbetween the hacker starting to hack, and getting root access, is usually
some time, and I hope to get a report in that time.


Re: host-based intrusion detection based on running processes?

Quoted text here. Click to load it

Grsecurity < has a system auditing feature
with which you can log almost anything like processes run.  You can then
'tail -f' on the log-file and process the output with a script or


Site Timeline