|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Mark Crosbie (mcrosbie
cup.hp.com)Date: Fri Jan 11 2002 - 12:33:35 CST
On Thu, 2002-01-10 at 10:06, mhtclark.net wrote:
> Has anyone looked at or evaluated..
>
> http://www.hp.com/security/products/ids/
>
> More host-based/file integrity than Intrusion Detectionish..
Actually it *doesn't* do file-integtrity a la Tripwire. It monitors
system calls from the kernel so if you attempt to change files or
directories (in any way) it will generate an alert and also fire off a
response script to allow you to recover from the change (think restoring
/bin to clean up after a rootkit installation in real-time).
As for "intrusion detectionishy" stuff we have templates that detect
unusual privilege escalations and attempted race condition exploits. The
privilege escalation template is unfortunately named "Buffer Overflow
detection" (thank you marketing :-)
But if you think about it, what most attackers do after they break in is
they created a backdoor account, a setuid root backdoor, install a
trojan rootkit or clean up logs. All of these involve modifying files so
by detecting file and directory changes in real time you can watch an
attacker as they worm their way into your system.
Enough from me, I'm almost begining to sound like marketing now...
If you're interested in finding out more drop me a mail, or download the
product from http://software.hp.com (product number J5083AA). It's free
(as in beer).
Regards,
Mark.
> Thoughts, comments, critiques..
>
-- Mark Crosbie IDS/9000 Product Architect http://www.hp.com/security/products/ids Hewlett-Packard MS 47 LA mcrosbie
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]