=====================================
     EARS v0.7 Beta for linux x86
     Tishina Syndicate 
     http://tishina.cjb.net 
     <tishina@innocent.com> 
     December 31,1998.
======================================
     
     
What is EARS? (THE MISSION)
===========================
     
     EARS (Emergency Audit Response System) is one of the first efforts in 
     development of a single system working to identify, monitor and respond to 
     abnormal system/user/network behavior (such as hacker intrusions) on a 
     distributed level, in real-time. 

     This means rapid prevention of disasters and perpetual protection of the network 
     components on a complete scale, yet with unified, real-time examination of all 
     major resources on per-host basis. The project focuses on three primary 
     objectives:

     	I. Distributed data and control [via secure communications channels on the 
     	network]. Meaning each instance of EARS, residing on the intended hosts, 
     	will use TCP/IP networks independent of any centralized component to 
     	deliver it's status or any directions to it's peers. However, the only events 
     	that EARS process can be aware of are those within itself and those 
     	relating to the sending or receiving of a message. The benefit of 
     	autonomous functionality is complete track of a network without a single, 
     	dedicated component that once disabled, will render everything protected 
     	vulnerable. As you may guess, this feature is far from finished.
     
     	II. Focus on operating system resources such as the process table instead of 
     	algorithms commonly employed by the intrusion detection tools that 
     	depend on static attack signatures. EARS relies directly on the OS kernel 
     	to maintain:
     		- Filesystem(s)
     		- Process table
     		- Network interfaces
     	So only events that essentially interfere with operations of these three 
     	resources are noticed. This process is simpler and in turns more effective 
     	than "intelligence" of other methods. Also, this approach not only detects 
     	network problems, but system problems as well.
     
     	III. Scalability of use. I found most commercially available intrusion detection 
     	utilities lacking the easy of use necessary in an emergency situation and 
     	overwhelming requirements for protection, such as a need for a dedicated 
     	host. EARS attempts to innovate not only through distributed operations, 
     	but features which are effective and practical for enterprise server as well 
     	as home PC's running *nix. Again, this is achieved partly by focusing on 
     	essential operating system components rather than anticipating 
     	complicated attacks.  
     

CURRENT STATUS
==============
     
     So far, I managed to implement EARS engine and EARS detection module (EARSdm) (not 
     available in beta). They both compile fine on Linux x86, and some porting is 
     planned in the near future. The engine provides functionality to the administrator 
     (see doc/USAGE) and to the detection module to carry out the requests. It can be 
     operated as an independent utility by a user, in which case the user is at liberty 
     to perform any task available or as a 'parent' to perform algorithms derived and 
     sent on client-server bases, by the detection module. 
     
     EARS engine offers a console for input of the commands while the detection 
     module (dm) autonomously assess the environment and directs the engine to act 
     accordingly. As the project entails more distributed algorithms and protocols, 
     engine and detection module may blend into one object, communicating on peer-
     to-peer basis rather than client-server. In addition, all the autonomous 
     functionality will probably be supported by threads.
     
     Beta release of EARS still lacks numerous characteristics partly because I'm 
     concentrating on the development of the earlier explained structure rather than 
     additional features. And since I'm not getting paid doing this in quite a 
     competitive market, open-source and innovations are the driving forces behind 
     the project.  
     
     
INSTALLATION
============
     
     - Requirements
     	a. linux 1.3.x+ 
     	b. root uid & euid 
	c. kernel firewall support+/sbin/ipfwadm (optional)
	d. /usr/sbin/tcpdump (optional) 
	e. /usr/bin/sendmail (a must for everyone :)
     
     
     - If you're installing full sources, do:
     	
     	1. cd /usr/src
     	2. gzip -cd ears-XX.tar.gz | tar xfv - 
     	3. cd ears*
     	4. make
     	5. make install
     	6. (run /usr/local/sbin/ears)
     
     Although online help is available, _read_ docs/USAGE or man ears.
     Also, by using EARS you agree to the terms listed in doc/LICENSE.
     
     
BUGS AND FEEDBACK
=================
     
     This project depends on the support of the users. So if you have question, 
     suggestions or bugs to report, please submit them to tishina@innocent.com!
     
     I also recommend visiting http://tishina.cjb.net. Besides the latest EARS, there's a 
     large repository of security-related material as well as links. 
     
     
ACKNOWLEDGEMENTS
================
     
     I thank the following people for contributing to the EARS project:
     
     Name:		<email>:			component: 

     V. Jacobson	<van@helios.ee.lbl.gov>		traceroute.c
     D. Giampaolo  	<nick@cs.maxine.wpi.edu>	xkey.c
     ?			<?>				pm.c


-stas
last modified: 09JAN98
