OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Mark Crosbie (mcrosbiecup.hp.com)
Date: Fri Jan 11 2002 - 17:22:37 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On Fri, 2002-01-11 at 10:43, Allovair Entellon wrote:
    > We had hoped so as well, but appearances seemed to be
    > deceiving... If it doesn't show up in a parseable log
    > file, it doesn't get detected. Look here in the white
    > paper:

    Hmm, maybe our whitepaper mis-represents the product's design. I think
    the item #1 in the list below points to the in-kernel data source that
    is unique to IDS/9000.

    More details on the audit system and what it does can be found in our
    paper submitted to last year's RAID conference:

    http://www.raid-symposium.org/raid2001/program.html

    We're the first bullet entry: "A Building Block Approach to Intrusion
    Detection".

    The other two items refer to log files which as you point out, can be
    handled just as easily with swatch or any other log watcher tool.

    Hope this clarifies things.

    Regards,
    Mark.

     
    > Data sources monitored by the IDS/9000 on the host
    > include:
    >
    > 1. Kernel audit data that is generated by a trusted
    > component of the operating system. It includes
    > analyzing system calls including parameters and
    > outcomes.
    > 2. System log files are monitored because they
    > contain data on login/logout, commands executed by
    > users; reports from network service daemons and
    > records of HTTP and FTP file transfers.
    > 3. Database server or other application server logs
    > are analyzed for their data on activity. This enables
    > detection of well-known attacks.
    >
    > --- mhtclark.net wrote:
    > > It looked like a lot more than a fancy UI running
    > > swatch underneath it. It
    > > appears that it interoperates with the HP-UX a lot
    > > stronger than
    > > configuring swatch. ??
    > >
    > > /m
    > >
    > > At 08:55 AM 1/11/2002 -0800, Allovair Entellon
    > > wrote:
    > > >I've looked at this in the past. Our conclusion
    > > was
    > > >that calling it a Host-based intrusion detection
    > > >system was unfair, given how the product operated.
    > > >You could duplicate 95% of the functionality with
    > > >swatch and a good config file.
    > >
    >
    >
    > __________________________________________________
    > Do You Yahoo!?
    > Send FREE video emails in Yahoo! Mail!
    > http://promo.yahoo.com/videomail/
    > 

    -- 
Mark Crosbie            IDS/9000 Product Architect
http://www.hp.com/security/products/ids
Hewlett-Packard MS 47 LA        mcrosbiecup.hp.com
19447 Pruneridge Avenue         (408) 447-2308
Cupertino, CA 95014             (408) 447-6766 FAX