|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: IDS: Re: RE: Host IDS
From: Talisker (Talisker
networkintrusion.co.uk)Date: Tue Oct 31 2000 - 13:23:31 CST
- Next message: Talisker: "IDS: Re: Re: RE: Host IDS"
- Previous message: Greg Shipley: "Re: IDS: The price of Security Software"
- Next in thread: Fernando Trias: "IDS: RE: Re: RE: Host IDS"
- Reply: Fernando Trias: "IDS: RE: Re: RE: Host IDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
RE: RE: Host IDSGene
> I'm beginning to become increasingly fervent in my belief that Tripwire (and other integrity solutions) > should be put into a category, fully outside "intrusion detection".
I agree, I tried to accomplish this on my website by categorising them under File Integrity Checkers alongside, rather than under, Host IDS, Network IDS, Hybrid IDS and Honeypots.
They do have a valuable role for detecting intruders when used to routinely check for alterations and as you point out their other strength is, going back to my military days, Post Attack Recovery using the integrity checker to discover the extent of the compromise
> (The danger is that people may inadverdently skip integrity altogether, thinking that they're > covered because they've implemented a NIDS and HIDS solution.)
I've also seen the opposite, they have a file integrity checker, so they have their IDS needs taken care of.
I read your article today on Security Focus - thanks for sharing it with us http://www.securityfocus.com/announcements/217
File Integrity checkers that I have on my site are
AIDE
Intact
Tripwire chkrootkit
Site Watcher
Veracity Dragon Squire
SMART Watch
Web Watcher
I think that I have all the commercial tools, if I am missing any or any of the premier freeware tools please let me know
I have also started a security-tools notification service with which, I pass details of any new tools that I find. http://www.egroups.com/subscribe/security-tools or by email security-tools-subscribeegroups.com
Take Care
Andy
There are quite a few more freeware integrity checkers
Take Care
Andy
http://www.networkintrusion.co.uk
Talisker's Network Security Tools List
'''
(0 0)
----oOO----(_)----------
| The geek shall |
| Inherit the earth |
-----------------oOO----
|__|__|
|| ||
ooO Ooo
taliskernetworkintrusion.co.uk
The opinions contained within this transmission are entirely my own, and do
not necessarily reflect those of my employer.
----- Original Message -----
From: Gene Kim
To: Jones, Benny ; 'Talisker' ; idsuow.edu.au ; FOCUS-IDSsecurityfocus.com
Sent: Tuesday, October 31, 2000 5:26 PM
Subject: RE: RE: Host IDS
I think ICSA tried to make room for Tripwire by putting it into the class of "target based intrusion detection". (Engineered by the ubiquitous Becky Bace.)
I'm beginning to become increasingly fervent in my belief that Tripwire (and other integrity solutions) should be put into a category, fully outside "intrusion detection". Anyone who has had to defend servers knows that Tripwire has a place in a security architecture, complementary to NIDS and HIDS. (The danger is that people may inadverdently skip integrity altogether, thinking that they're covered because they've implemented a NIDS and HIDS solution.)
I think the critical taxonomy lies in the fact that it's integrity vs. anomoly detection. (i.e., "is it the same as yesterday" versus "is this something that is characteristic of misuse or an intrusion")
To roll up in one sentence, I view IDS as early warning detection, and integrity as damage assessment and recovery. I use both, because both are essential.
My question: Is there a danger in stepping out of the high-sizzle area of "intrusion detection"? We all think it sounds so sexy. :-) (Note AIDE stands for "advanced intrusion detection environment"... And the original Tripwire papers did say that Tripwire was originally designed for "intrusion detection")
Cheers,
Gene
CTO, Tripwire, Inc.
> -----Original Message-----
> From: Jones, Benny [mailto:Benwcom.net]
> Sent: Monday, September 25, 2000 4:23 AM
> To: 'Talisker'; idsuow.edu.au; FOCUS-IDSsecurityfocus.com
> Subject: IDS: RE: Host IDS
>
>
> Archive: http://msgs.securepoint.com/ids
> FAQ: http://www.ticm.com/kb/faq/idsfaq.html
> IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> HELP: Having problems... email questions to ids-owneruow.edu.au
> NOTE: Remove this section from reply msgs otherwise the msg
> will bounce.
> SPAM: DO NOT send unsolicted mail to this list.
> UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
> --------------------------------------------------------------
> ---------------
> Could your definition be expanded to include monitoring the
> integrity of system files? If so, Tripwire might be considered
> a host IDS.
>
> Benny Jones
> benwcom.net
>
> -----Original Message-----
> From: Talisker [mailto:Taliskernetworkintrusion.co.uk]
> Sent: Friday, September 22, 2000 1:18 PM
> To: idsuow.edu.au; FOCUS-IDSsecurityfocus.com
> Subject: IDS: Host IDS
>
>
> Archive: http://msgs.securepoint.com/ids
> FAQ: http://www.ticm.com/kb/faq/idsfaq.html
> IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> HELP: Having problems... email questions to ids-owneruow.edu.au
> NOTE: Remove this section from reply msgs otherwise the msg
> will bounce.
> SPAM: DO NOT send unsolicted mail to this list.
> UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
> --------------------------------------------------------------
> --------------
> -
> I'm currently updating the host IDS page of the web site,
> After recent discussions I would define a host IDS as an IDS
> that detects
> intrusions at the operating system and application level by
> monitoring the
> sys/event logs. Not inbound network traffic
>
> Anyway the Host IDS I have are:
>
> auditGUARD
> Centrax
> CMDS
> Dragon Squire
> EMERALD eXpert-BSM
> Entercept
> Entercept WebSE
> E-Trust Audit
> Intruder Alert
> KSM
> Nocol
> Precis
> RealSecure Agent
> Swatch
>
> Am I missing any? I have separate pages for personal
> firewalls and hybrid
> IDS
>
> Andy
> http://www.networkintrusion.co.uk/ The IDS List
> '''
> (0 0)
> ----oOO----(_)----------
> | The geek shall |
> | Inherit the earth |
> -----------------oOO----
> |__|__|
> || ||
> ooO Ooo
>
>
> The opinions contained within this transmission are entirely
> my own, and do
> not necessarily reflect those of my employer.
>
>
>
>
>
- Next message: Talisker: "IDS: Re: Re: RE: Host IDS"
- Previous message: Greg Shipley: "Re: IDS: The price of Security Software"
- Next in thread: Fernando Trias: "IDS: RE: Re: RE: Host IDS"
- Reply: Fernando Trias: "IDS: RE: Re: RE: Host IDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]