ImSafe - Host Based Anomaly Detection Tool
Imsafe logo ImSafe
Immune Security Architecture
by Laurent Eschenauer

File menu

Connect to driver
Configure the system to use the driver provided by the Linux kernel patch as your source of data for the audit trail of system calls.

Device name :
Leave the default unless you changed it

Application to trace:
At this point you can only trace one application (but multiple processes of it) at a time. Enter the name of the application here. (eg: in.ftpd, in.telnetd, syslogd, ...)
You will be able to trace processes that are NOT YET started.

Trace execve:
Do you want to continue tracing if the program does an execve() system call ? It may generate a lot more data and sometimes is not relevant. But the default is YES since execve() is one of the main call used by crackers when doing a buffer overflow.

Connect to sensor
If you just want to play or you are on another system than Linux, then you may want to use the sensor instead of the device driver. You should have installed the provided ims-sensor which is a quick hack of strace-4.2

Socket Descriptor
The sensor communicates with the server by using UNIX sockets. Since you may have more than one sensor activated (for example one for each daemon like in.ftpd, in.telnetd, etc...) you have to type in the name of the socket descriptor. Default is /tmp/imsensor

Close device
Needed if you want to switch from driver to sensor, etc...

2. Monitor Menu


Behavior database
Is a .db file generated by ImSafe using the Tools->Learn profile option and is containing the behavior of the process you want to monitor for attacks.

Anomaly threshold
Is the level at wich the system will react and detect an intrusion.

Log to file
Log the probability guessed by the system, it is useful for debugging and is needed if you want to plot a complete history of the monitoring using the Monitor->Plot graph feature.

Execute on alert
You can specify here a file to execute on alert, for example sending an e-mail to you, paging the admin, playing a bell sound, etc...

Start Monitor
Will start monitoring the system and reacting upon detection of an Intrusion. If you use a sensor, the program will halt here and wait for a sensor to connect. Yes I'm using a blocking accept() and YES I should change this !

Stop Monitor
I'm sure that you guessed :)
You have to stop the monitor before you can plot a graph (yeah, I need to close the files before plotting them !)

Plot graph
Will only work if you have gnuplot and ghostview installed on your system and in the PATH. In fact I'm just plotting the log with gnuplot.

3. Tools

Learn profile
This feature is used to generate a profile of an application based on an audit trail that you have recorder with the Tools->trace to file feature.
Note that you can use the ims-learn command line tool to do some learning. This is usefull to do batch learn on multiple files (with a simple script) or to use the system on Windows NT where the GUI is not available.

Input trace file
Is a file containing a trace of a process
You can generate this trace with the GUI or by using ims-trace with the -o option.

Output database
Is where you want to save the new database file.

Input database
If you want to use a previous .db so that you can ADD sequences and update the probabilities at the leaves of the tree.

Trace to file
Use this feature to record a trace of system calls to a file, so that you can do some learning. You can also use ims-trace as command line tool to record a trace, this is especially usefull if you want to trace during one week all executions of your FTP server so that you have a nice collection of traces to do an accurate learning.

Is the destination file of the trace. Note that you can't append a trace to
an already existing trace, the previous content will be erased.

Display tree
Used to display the tree contained in a database and to read the probabilities at each leaf.