|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: host ids service
From: MCKILLICAN, DONALD (donald.mckillican
BELL.CA)Date: Wed Nov 01 2000 - 10:57:30 CST
- Next message: Talisker: "Re: host ids service"
- Previous message: urandom: "Re: Unicode and IDS evasion"
- Next in thread: Talisker: "Re: host ids service"
- Reply: Talisker: "Re: host ids service"
- Reply: Ron Gula: "Re: host ids service"
- Reply: Carskadden, Rush: "Re: host ids service"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
As long as we're talking about host ids for a bit, let me describe
an issue I'm wrestling with.
We have a number of web servers, which run various eCommerce type
applications. As such, they are definite targets for crackers,
both those types who just want to get their names (and ours) in
the paper (or on BugTraq), and from those who would like to
subvert the applications to give them free services, products or
even money. So intrusion detection is kinda important, you might
say.
In addition, it can't be done with (just) a network ids, because
most of the traffic (and all of the really interesting stuff) is
inside an SSL tunnel. So my first need is for a host ids that can
analyse web logs for attack signatures (the traffic won't be in
clear until the web server software decrypts it, so even
host-based network traffic analysis is out). Also, it would be
very helpful if we could get the same software on, say, both NT
and Solaris, and handling IIS, Netscape and Apache servers (and
maybe even the odd proprietary server producing moderately
standard ASCII logs). Having a centralized management console
would also be nice.
But if all we get is a product, that still leaves us with a large
problem, namely configuring it. I'm not terribly keen on going
back over the last two years of BugTraq, etc. trying to decide
what each attack signature looks like. So it would be nice if the
people who make the product had actually already done that, and
provided the signatures as part of the product.
And it would be nicer still if that product included a service
that provided regular (no worse than monthly) updates to those
signatures. Some consulting to help us create signatures that
might help to identify a cracker looking for buffer overflows in
our own applications would be the icing on the cake.
I see lots of products out on the market, but so far I haven't
seen a service like this, which rather surprises me. Am I the
only one who would sign up for it? Or is it really already
available and I just haven't stumbled across it yet? Is it time
for a new open source project? <grin> Any thoughts would be
appreciated.
Thanks,
Donald McKillican
Bell Canada Corporate Security
- Next message: Talisker: "Re: host ids service"
- Previous message: urandom: "Re: Unicode and IDS evasion"
- Next in thread: Talisker: "Re: host ids service"
- Reply: Talisker: "Re: host ids service"
- Reply: Ron Gula: "Re: host ids service"
- Reply: Carskadden, Rush: "Re: host ids service"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]