OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: IDS: Re: Re: RE: Host IDS
From: Talisker (Taliskernetworkintrusion.co.uk)
Date: Tue Oct 31 2000 - 16:15:05 CST

RE: RE: Host IDSFernando
I may not have explained myself very well (senior moment), I'm not trying to say "take Integrity Checkers outside IDS", but leave them in their own category alongside the other IDS products.
I don't mean to keep harping on about my site, but take a look, Integrity Checkers fall under IDS but they are alongside host IDS, network IDS etc. Part of my reasoning for developing the site originally, was that many other IDS lists placed everything from vulnerability scanners to honeypots in one big melting pot. This lead to some (I've seen it) picking one product off the list and informing their management that they have IDS. Rather than my preferance, which would be to pick one or more from each category.

By the way SecurityExpressions is a really great tool, thanks for the help with it

Andy
http://www.networkintrusion.co.uk
Talisker's Network Security Tools List
taliskernetworkintrusion.co.uk

  I disagree with putting integrity checkers outside of IDS. Such a division would have more to do with the limitations of some implementations rather than with the actual purpose of integrity checking. What if the integrity checker detected changes in real time rather than the next day? Would we still say it hasn't "detected" an intrusion?

  Take Care

  Andy

  http://www.networkintrusion.co.uk
  Talisker's Network Security Tools List
                      '''
                   (0 0)
    ----oOO----(_)----------
    | The geek shall |
    | Inherit the earth |
    -----------------oOO----
                 |__|__|
                    || ||
                ooO Ooo
  taliskernetworkintrusion.co.uk

   

  The opinions contained within this transmission are entirely my own, and do
  not necessarily reflect those of my employer.

   

   

   

   

  ----- Original Message -----

  From: Gene Kim

  To: Jones, Benny ; 'Talisker' ; idsuow.edu.au ; FOCUS-IDSsecurityfocus.com

  Sent: Tuesday, October 31, 2000 5:26 PM

  Subject: RE: RE: Host IDS

   

  I think ICSA tried to make room for Tripwire by putting it into the class of "target based intrusion detection". (Engineered by the ubiquitous Becky Bace.)

  I'm beginning to become increasingly fervent in my belief that Tripwire (and other integrity solutions) should be put into a category, fully outside "intrusion detection". Anyone who has had to defend servers knows that Tripwire has a place in a security architecture, complementary to NIDS and HIDS. (The danger is that people may inadverdently skip integrity altogether, thinking that they're covered because they've implemented a NIDS and HIDS solution.)

  I think the critical taxonomy lies in the fact that it's integrity vs. anomoly detection. (i.e., "is it the same as yesterday" versus "is this something that is characteristic of misuse or an intrusion")

  To roll up in one sentence, I view IDS as early warning detection, and integrity as damage assessment and recovery. I use both, because both are essential.

  My question: Is there a danger in stepping out of the high-sizzle area of "intrusion detection"? We all think it sounds so sexy. :-) (Note AIDE stands for "advanced intrusion detection environment"... And the original Tripwire papers did say that Tripwire was originally designed for "intrusion detection")

  Cheers,
  Gene
  CTO, Tripwire, Inc.

   

> -----Original Message-----
> From: Jones, Benny [mailto:Benwcom.net]
> Sent: Monday, September 25, 2000 4:23 AM
> To: 'Talisker'; idsuow.edu.au; FOCUS-IDSsecurityfocus.com
> Subject: IDS: RE: Host IDS
>
>
> Archive: http://msgs.securepoint.com/ids
> FAQ: http://www.ticm.com/kb/faq/idsfaq.html
> IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> HELP: Having problems... email questions to ids-owneruow.edu.au
> NOTE: Remove this section from reply msgs otherwise the msg
> will bounce.
> SPAM: DO NOT send unsolicted mail to this list.
> UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
> --------------------------------------------------------------
> ---------------
> Could your definition be expanded to include monitoring the
> integrity of system files? If so, Tripwire might be considered
> a host IDS.
>
> Benny Jones
> benwcom.net
>
> -----Original Message-----
> From: Talisker [mailto:Taliskernetworkintrusion.co.uk]
> Sent: Friday, September 22, 2000 1:18 PM
> To: idsuow.edu.au; FOCUS-IDSsecurityfocus.com
> Subject: IDS: Host IDS
>
>
> Archive: http://msgs.securepoint.com/ids
> FAQ: http://www.ticm.com/kb/faq/idsfaq.html
> IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> HELP: Having problems... email questions to ids-owneruow.edu.au
> NOTE: Remove this section from reply msgs otherwise the msg
> will bounce.
> SPAM: DO NOT send unsolicted mail to this list.
> UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
> --------------------------------------------------------------
> --------------
> -
> I'm currently updating the host IDS page of the web site,
> After recent discussions I would define a host IDS as an IDS
> that detects
> intrusions at the operating system and application level by
> monitoring the
> sys/event logs. Not inbound network traffic
>
> Anyway the Host IDS I have are:
>
> auditGUARD
> Centrax
> CMDS
> Dragon Squire
> EMERALD eXpert-BSM
> Entercept
> Entercept WebSE
> E-Trust Audit
> Intruder Alert
> KSM
> Nocol
> Precis
> RealSecure Agent
> Swatch
>
> Am I missing any? I have separate pages for personal
> firewalls and hybrid
> IDS
>
> Andy
> http://www.networkintrusion.co.uk/ The IDS List
> '''
> (0 0)
> ----oOO----(_)----------
> | The geek shall |
> | Inherit the earth |
> -----------------oOO----
> |__|__|
> || ||
> ooO Ooo
>
>
> The opinions contained within this transmission are entirely
> my own, and do
> not necessarily reflect those of my employer.
>
>
>
>
>