OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: host ids service
From: Ron Gula (rgulaNETWORK-DEFENSE.COM)
Date: Wed Nov 01 2000 - 21:27:01 CST

Hello Donald,

Our Dragon IDS does exactly what you are asking. It has three
components, Dragon Squire is the HIDS, Dragon Sensor is the
NIDS and Dragon Server is the event management and configuration
system.

Dragon Squire is available for all the UNIX platforms and web
server applications you spoke of, plus the NT version will be
available in late November. Squire also can read logs from many
commercial/free firewalls as well as routers & switches. It will
also perform file integrity checking on your key files and keep
the hash values on the Dragon Server.

Dragon Sensor is the NIDS and still may be useful to you if
deployed it outside of your SSL tunnel to look for port scans
and other probes. Deploying it inside your network can still
be useful as it can be programmed to look for *any* traffic
which is not ssl, to audit management connections to the
web servers via ssh/ftp and to look for attacks in general
coming from places inside your host network which you would not
expect to see in the first place.

The signatures for Dragon Squire and Dragon Sensor are updated
regularly and are sent directly to your Dragon Server. There is
no dedicated signature subscription service that you pay for.
The service is included in the annual maintenance of the product.

All of the Dragon Sensor/Squire configuration is controlled from
a common web interface. All analysis happens in three web interfaces.
There is a real time web interface which can display the last
million or so events, there is a long term 'trend' interface which
uses database functions to store event records long term and there
is a forensic interface which stores the actual packet data, log
data and IDS data (like MD5 checksum violations. We will also be
adding a reporting tool which will automate processing of 2nd order
events.

An example screen shot of the forensic tool we call Dragon Fire is
available at: http://www.securitywizards.com/images/1console.gif
The screenshot shows events from ipfilter, Dragon Sensor and Dragon
Squire in one interface

Apologies for the blatant marketing/product stuff, but what you are
asking for, we have already implemented at a fair number of banks,
ISPs, ASPs, universities and US government organizations.

Ron Gula
VP IDS Products
Enterasys Networks
http://www.enterasys.com
http://www.securitywizards.com

At 11:57 AM 11/1/00 -0500, you wrote:
>As long as we're talking about host ids for a bit, let me describe
>an issue I'm wrestling with.
>
>We have a number of web servers, which run various eCommerce type
>applications. As such, they are definite targets for crackers,
>both those types who just want to get their names (and ours) in
>the paper (or on BugTraq), and from those who would like to
>subvert the applications to give them free services, products or
>even money. So intrusion detection is kinda important, you might
>say.
>
>In addition, it can't be done with (just) a network ids, because
>most of the traffic (and all of the really interesting stuff) is
>inside an SSL tunnel. So my first need is for a host ids that can
>analyse web logs for attack signatures (the traffic won't be in
>clear until the web server software decrypts it, so even
>host-based network traffic analysis is out). Also, it would be
>very helpful if we could get the same software on, say, both NT
>and Solaris, and handling IIS, Netscape and Apache servers (and
>maybe even the odd proprietary server producing moderately
>standard ASCII logs). Having a centralized management console
>would also be nice.
>
>But if all we get is a product, that still leaves us with a large
>problem, namely configuring it. I'm not terribly keen on going
>back over the last two years of BugTraq, etc. trying to decide
>what each attack signature looks like. So it would be nice if the
>people who make the product had actually already done that, and
>provided the signatures as part of the product.
>
>And it would be nicer still if that product included a service
>that provided regular (no worse than monthly) updates to those
>signatures. Some consulting to help us create signatures that
>might help to identify a cracker looking for buffer overflows in
>our own applications would be the icing on the cake.
>
>I see lots of products out on the market, but so far I haven't
>seen a service like this, which rather surprises me. Am I the
>only one who would sign up for it? Or is it really already
>available and I just haven't stumbled across it yet? Is it time
>for a new open source project? <grin> Any thoughts would be
>appreciated.
>
>Thanks,
>Donald McKillican
>Bell Canada Corporate Security
>
>
>