OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Host IDS
From: Gene Kim (genekTRIPWIRE.COM)
Date: Tue Oct 31 2000 - 11:26:22 CST

I think ICSA tried to make room for Tripwire by putting it into the class of
"target based intrusion detection". (Engineered by the ubiquitous Becky
Bace.)

I'm beginning to become increasingly fervent in my belief that Tripwire (and
other integrity solutions) should be put into a category, fully outside
"intrusion detection". Anyone who has had to defend servers knows that
Tripwire has a place in a security architecture, complementary to NIDS and
HIDS. (The danger is that people may inadverdently skip integrity
altogether, thinking that they're covered because they've implemented a NIDS
and HIDS solution.)

I think the critical taxonomy lies in the fact that it's integrity vs.
anomoly detection. (i.e., "is it the same as yesterday" versus "is this
something that is characteristic of misuse or an intrusion")

To roll up in one sentence, I view IDS as early warning detection, and
integrity as damage assessment and recovery. I use both, because both are
essential.

My question: Is there a danger in stepping out of the high-sizzle area of
"intrusion detection"? We all think it sounds so sexy. :-) (Note AIDE
stands for "advanced intrusion detection environment"... And the original
Tripwire papers did say that Tripwire was originally designed for "intrusion
detection")

Cheers,
Gene
CTO, Tripwire, Inc.

> -----Original Message-----
> From: Jones, Benny [mailto:Benwcom.net]
> Sent: Monday, September 25, 2000 4:23 AM
> To: 'Talisker'; idsuow.edu.au; FOCUS-IDSsecurityfocus.com
> Subject: IDS: RE: Host IDS
>
>
> Archive: http://msgs.securepoint.com/ids
> FAQ: http://www.ticm.com/kb/faq/idsfaq.html
> IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> HELP: Having problems... email questions to ids-owneruow.edu.au
> NOTE: Remove this section from reply msgs otherwise the msg
> will bounce.
> SPAM: DO NOT send unsolicted mail to this list.
> UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
> --------------------------------------------------------------
> ---------------
> Could your definition be expanded to include monitoring the
> integrity of system files? If so, Tripwire might be considered
> a host IDS.
>
> Benny Jones
> benwcom.net
>
> -----Original Message-----
> From: Talisker [mailto:Taliskernetworkintrusion.co.uk]
> Sent: Friday, September 22, 2000 1:18 PM
> To: idsuow.edu.au; FOCUS-IDSsecurityfocus.com
> Subject: IDS: Host IDS
>
>
> Archive: http://msgs.securepoint.com/ids
> FAQ: http://www.ticm.com/kb/faq/idsfaq.html
> IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> HELP: Having problems... email questions to ids-owneruow.edu.au
> NOTE: Remove this section from reply msgs otherwise the msg
> will bounce.
> SPAM: DO NOT send unsolicted mail to this list.
> UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
> --------------------------------------------------------------
> --------------
> -
> I'm currently updating the host IDS page of the web site,
> After recent discussions I would define a host IDS as an IDS
> that detects
> intrusions at the operating system and application level by
> monitoring the
> sys/event logs. Not inbound network traffic
>
> Anyway the Host IDS I have are:
>
> auditGUARD
> Centrax
> CMDS
> Dragon Squire
> EMERALD eXpert-BSM
> Entercept
> Entercept WebSE
> E-Trust Audit
> Intruder Alert
> KSM
> Nocol
> Precis
> RealSecure Agent
> Swatch
>
> Am I missing any? I have separate pages for personal
> firewalls and hybrid
> IDS
>
> Andy
> http://www.networkintrusion.co.uk/ The IDS List
> '''
> (0 0)
> ----oOO----(_)----------
> | The geek shall |
> | Inherit the earth |
> -----------------oOO----
> |__|__|
> || ||
> ooO Ooo
>
>
> The opinions contained within this transmission are entirely
> my own, and do
> not necessarily reflect those of my employer.
>
>
>
>
>