OMENS (Object Monitor for Enhanced Network Security) was born out of the intrusion (and intrusion attempts) analysis that I have been doing over many years. I consistently run into intrusion attempts that existing IDS systems have difficulty detecting. OMENS is my attempt to better detect (and understand) these blind spots in existing systems.
OMENS uses two primary methods to determine hostile activity. Scanning for hostile activity through signature comparisons, and base-lining to determine if any system changes have taken place.
OMENS is initially targeted at defending web servers, because the author of OMENS is most familiar with web based intrusions. However, the concepts employed by OMENS could be used in many other circumstances.
OMENS starts with scanning the web server log file for hostile activity. If it sees anything that matches the hostile signature database, it will report that activity in a report or via syslog.
OMENS also baselines the web server’s (web root) file system. If any changes are made in the files, those files are then scanned for hostile signatures, and any findings are again reported via report or syslog. One unique feature of OMENS is that it will also scan any modified or new files for obfuscated code. A common indicator of hostile files is that they contain obfuscated code. Obfuscation is commonly used to prevent detection. To my knowledge no existing scanner other than OMENS looks for this important indicator.
OMENS can also check the Windows Registry for hostile keys.