OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: IDS: NT Host Vulnerability Scanners
From: Talisker (Taliskernetworkintrusion.co.uk)
Date: Sun Jul 16 2000 - 06:47:44 CDT

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
-----------------------------------------------------------------------------
M

Correct me if I'm wrong but WebTrends (formerly Asmodeus) and ISS System
Scanner, install agents on the distant machine, this is something I'm trying
to avoid. The Tripwire product is a File Integrity Checker, and whilst able
to highlight that an attack has occurred, isn't capable of detecting
vulnerabilities to prevent the attack taking place.

With regard to testing I agree wholeheartedly. However, a short trial can
often reveal showstoppers that may negate the need for a full blown trial on
a given product. My aim is to:

1 Get some background on the products, from the experience of others (I
realise this information is often subjective rather than objective) to get a
feel for the products and possibly the heads up on a show stopper. The
inter-vendor discussions in the first qtr of this year was excellent for
this :o)

2 Shortlist a few products for a short trial ie 4-6 weeks.

3 Isolate one or more preferred choices for an extensive trial of a few
months. From experience I don't like to test multiple products
simultaneously to this level, for a variety of reasons, not least having to
keep the Sys Admins of the networks I'm using, sweet, they lose patience if
I'm in their hair too much, also I don't want to introduce more software
than I really have to.

4 At the end of the day I'm not a test house, I'm looking for a working
solution. That said I still wish to have visibility of every feature of
every product so that I can recommend the best solution for the problem.

Oh and IMHO vulnerability scanners aren't nearly as interesting as IDS, so
the quicker I find a solution the quicker I can concentrate on IDS ;o)

Take care

Andy

www.networkintrusion.co.uk

----- Original Message -----
From: <mhtclark.net>
To: "Talisker" <Taliskernetworkintrusion.co.uk>; <idsuow.edu.au>;
<FOCUS-IDSsecurityfocus.com>
Sent: Sunday, July 16, 2000 3:00 AM
Subject: Re: IDS: NT Host Vulnerability Scanners

> WebTrends, ISS and TripWire have products available that sit and assist in
> baselining a particular system based on attributes a user selects or
> adhering some policy that compares the system against a standard or custom
> policy.
>
> Agents sit on a particular host monitoring for certain things and report
> back to a central console..
>
> It really depends on the scope of your test. A live trial in my mind last
> for months on end, and encompasses at least a class 'B' network with at
> least variants from every single type of operating system available plus
> some common apps that may be running.
>
> My type of testing is similiar to those Road & Track testing.. First
month,
> person gets the car, drives around a bit, a couple of months in the car,
> things start to come loose, shake , vibrate things like that.
>
> A week or two of testing may not be enough
>
> /m
>
> \At 10:02 PM 7/15/00 +0100, Talisker wrote:
> >Hi all
> >
> >I'm currently looking at host vulnerability scanners for NT networks, my
> >main requirement is for a tool that doesn't require an agent to be
> >installed, so far I've found STAT and SecurityExpressions (thanks
> >Fernando) both tools seem similar but before I set them against each
other
> >on a live trial, I'm hoping once again to feed upon the experiences of
the
> >list, I'm looking for the following:
> >
> >1. Is there a great advantage of using agents on each host.
> >
> >2. Has anyone used either of these products and if so what did you
think.
> >
> >3. Are there any other products that will achieve the same aim, at a
> >comparative cost.
> >
> >Product information can be found on my host scanner page at
>
><http://www.networkintrusion.co.uk/h_scan.htm>http://www.networkintrusion.c
o.uk/h_scan.<http://www.networkintrusion.co.uk/h_scan.htm>htm
> >
> >Thanks in advance
> >
> >Andy
>
><http://www.networkintrusion.co.uk>www.networkintrusion.co.<http://www.netw
orkintrusion.co.uk>uk
> >
> > '''
> > (0 0)
> > ----oOO----(_)----------
> > | The geek shall |
> > | Inherit the earth |
> > -----------------oOO----
> > |__|__|
> > || ||
> > ooO Ooo
> >
> >
> >The opinions contained within this transmission are entirely my own, and
do
> >not necessarily reflect those of my employer.
> >
> >
> >
> >
> >
>
>