Saint Jude
Saint Jude is a wholly kernel-based intrusion detection and intrusion response system that implements the Saint Jude Model for detection of improper privilege transitions. Saint Jude can detect the presence of ongoing and successful attacks, from sources both local and remote, that would yield root-level access to the attacking individual. Detection is performed using a rule-based anomaly detector that uses a model of normal system behavior that is generated on the protected machine during a training phase. By comparing actual actions against a fully developed model, it is possible to detect attacks against vulnerabilities that are both known and unknown with no false positives or negatives.
| Tags | Security |
|---|---|
| Licenses | GPL |
Recent releases
- 30 Dec 2004 22:40
Changes: This release improves compatibility with Linux distributions.
- 16 May 2002 11:18
Changes: This version is intended for and has been tested on the Solaris 8/SPARC platform. 64-bit and 32-bit installations are supported.
- 31 Jul 2001 01:31
Changes: Rolled back the Kernel Integrity software from Saint Michael. This introduces kernel integrity checking, and module support on systems that require module support. Added Read-Only /dev/kmem support. This does not effect the ability to load or unload modules. Eliminated the double-execve problem. New configuration script simplifies platform identification, and selection of compile-time options. Spelling corrections in numerous files and comments have been made.
- 06 Apr 2001 10:46
Changes: Checks were updated, and compatibility with 2.4.3 was verified. A potential endless recursion that could occur under crafted conditions was identified and solved. A bug was fixed that could have caused a failed execution by a privileged process to cause its set of allowed programs to decrease by not detecting the execution failure. The risk of gaining privlage was not present due to the downward flow of privlages, however intended execution paths could be cut off as a result of a failed execve.
- 20 Mar 2001 00:43
Changes: An improper IFDEF test in StJude_lkm.h would prevent compiles on 2.4.0 kernel. Fixed. StJude_Learning_Parser.pl would produce an output in some instances that could not be compiled. Non-SMP compiles under an SMP kernel has been fixed. If a process exec'd() without forking, and it was an override rule, then the first execution wouldn't be recorded through learning. This has been fixed.
