OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: host ids service
From: Talisker (TaliskerNETWORKINTRUSION.CO.UK)
Date: Wed Nov 01 2000 - 16:05:11 CST

Donald

> In addition, it can't be done with (just) a network ids, because
> most of the traffic (and all of the really interesting stuff) is
> inside an SSL tunnel. So my first need is for a host ids that can
> analyse web logs for attack signatures (the traffic won't be in

Does Entercept Web SE work far enough up the protocol stack?
(Host IDS)

> clear until the web server software decrypts it, so even
> host-based network traffic analysis is out). Also, it would be
> very helpful if we could get the same software on, say, both NT
> and Solaris, and handling IIS, Netscape and Apache servers (and
> maybe even the odd proprietary server producing moderately
> standard ASCII logs). Having a centralized management console
> would also be nice.

Is it essential to have such a plethora of web server platforms, furthermore
can you not have your non "really interesting stuff" on a separate server

Andy
http://www.networkintrusion.co.uk
Talisker's Network Security Tools List
taliskernetworkintrusion.co.uk

From: "MCKILLICAN, DONALD" <donald.mckillicanBELL.CA>
To: <FOCUS-IDSsecurityfocus.com>
Sent: Wednesday, November 01, 2000 4:57 PM
Subject: host ids service

>
> In addition, it can't be done with (just) a network ids, because
> most of the traffic (and all of the really interesting stuff) is
> inside an SSL tunnel. So my first need is for a host ids that can
> analyse web logs for attack signatures (the traffic won't be in
> clear until the web server software decrypts it, so even
> host-based network traffic analysis is out). Also, it would be
> very helpful if we could get the same software on, say, both NT
> and Solaris, and handling IIS, Netscape and Apache servers (and
> maybe even the odd proprietary server producing moderately
> standard ASCII logs). Having a centralized management console
> would also be nice.
>
> But if all we get is a product, that still leaves us with a large
> problem, namely configuring it. I'm not terribly keen on going
> back over the last two years of BugTraq, etc. trying to decide
> what each attack signature looks like. So it would be nice if the
> people who make the product had actually already done that, and
> provided the signatures as part of the product.
>
> And it would be nicer still if that product included a service
> that provided regular (no worse than monthly) updates to those
> signatures. Some consulting to help us create signatures that
> might help to identify a cracker looking for buffer overflows in
> our own applications would be the icing on the cake.
>
> I see lots of products out on the market, but so far I haven't
> seen a service like this, which rather surprises me. Am I the
> only one who would sign up for it? Or is it really already
> available and I just haven't stumbled across it yet? Is it time
> for a new open source project? <grin> Any thoughts would be
> appreciated.
>
> Thanks,
> Donald McKillican
> Bell Canada Corporate Security
>
>