OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Intrusion Detection Logfile Software
From: Curt Wilson (netw3NETW3.COM)
Date: Thu Oct 12 2000 - 00:45:06 CDT

One site that I work with runs a commercial app
called PrivateI (www.opensystems.com) that runs on
NT and Solaris. It works with multiple types of
firewalls, including Cisco PIX, FW-1, and perhaps
others. This site has an NT server system that
parses the firewall syslog and runs it through
a "Watchdog" application which can be configured to
send email, page, audio, and/or visual notification
depending upon the event being reported in the
syslog.

This doesn't seem to be a true IDS, more of a syslog
analyzer but it does provide notification. You can set it
to respond to different ports, IP addresses, etc.

I also augment this process by scanning the sites IIS
and firewall syslogs with a custom made batch file
(good 'ol MS-DOS) that uses the xgrep utility to
search for anything other than normal traffic. A linux
box could do this easier but I didni't have one handy
at this site, and the batch file works OK for this
smaller site.

The batch file log scanner reports things like FIN SYN
scans, where the PrivateI application is less granular,
and sometimes does not provide an indication of an
abnormal or security related event. Since this site
does not have a true IDS, this is an after-the-fact
solution with the batch file. I'm sure that with a linux
box and snort, shadow, swatch, or other tools you
could set up a pretty decent solution on a small or
non-existant budget.

Good day,
Curt Wilson
Netw3.Com Consulting
www.netw3.com