Comment Re:Implement better IDS (Score 1) 152
All your ways of attacking the mention IDS scheme from the parent can work, given the right circumstances. Basically what it comes down to is that if the attacker gained access successfully and is in control of the targeted machine it can always send out messages, as if it was not infected. At this point it is too late trying to detect anything. With a challenge-response scheme you might be able to ask for the exact contents of
Two alternatives might be possible to still have a relatively easy to manage and save IDS: You can boot from a r/o media every night and use this system to do the file integrity check (hard to automate a single boot from cd) or you could send a large number of log statements about logins, running processes, firewall logs to a different machine where any unusual events trigger an notice to check the system by hand.