OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: mhtclark.net
Date: Fri Jan 11 2002 - 13:08:20 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    At 11:03 AM 1/11/2002 -0800, Mark Crosbie wrote:
    On Fri, 2002-01-11 at 10:22, mhtclark.net wrote:
    > It looked like a lot more than a fancy UI running swatch underneath it. It
    > appears that it interoperates with the HP-UX a lot stronger than
    > configuring swatch. ??

    >> My comments were back to the previous poster. I worded my reply wrong,
    what I meant was that it looked a bit more fancy than just a fancy UI with
    swatch underneath..

    The marketing fluff is a little bit lacking in the technical depth but
    compared to some product in other spaces, it isn't that bad overall and a
    lot easier to navigate through than some other products in the software
    testing space.. ;)

    /m

    Ouch! That hurt! Yes, it is a lot more complex that just running swatch
    on a logfile.

    It uses system call audit data derived from a special audit subsystem in
    the HPUX kernel (NOT the standard C2 audit system). The system call
    header information and arguments are gathered and analyzed in near
    real-time by our product to determine if a vulnerability exploit
    occured.

    Notice I say "near real-time": it does not use any hard real-time
    features of HPUX. Also I said "vulnerability exploit", not attack. The
    product detects the building-blocks of attacks, not the latest
    attack-du-jour from Bugtraq.

    While swatch is an excellent tool (I use it myself) you can't use it to
    analyze data that doesn't exist. No log file (that I know of on UNIX) is
    going to tell you that process id 12345 modified /etc/passwd by system
    call truncate() using the program /bin/vi with arguments "/bin/vi
    passwd" running as user 405 on tty 3. That's what IDS/9000 can do.

    So while on the surface it would appear that IDS/9000 looks like a fancy
    GUI over swatch, as you dig deeper into what the product does you may
    realize that it is a lot more powerful.

    If you don't realize this then we have done a poor job of documenting
    IDS/9000. Let me know if we need to beef up our outrageous marketing
    claims :-)

    Regards,
    Mark.

    > /m
    >
    > At 08:55 AM 1/11/2002 -0800, Allovair Entellon wrote:
    > >I've looked at this in the past. Our conclusion was
    > >that calling it a Host-based intrusion detection
    > >system was unfair, given how the product operated.
    > >You could duplicate 95% of the functionality with
    > >swatch and a good config file.
    > 

    -- 
Mark Crosbie            IDS/9000 Product Architect
http://www.hp.com/security/products/ids
Hewlett-Packard MS 47 LA        mcrosbiecup.hp.com
19447 Pruneridge Avenue         (408) 447-2308
Cupertino, CA 95014             (408) 447-6766 FAX