Mark,

I apologize if I got my information incorrect, however
at the time, the salesman and SE told us that we would
have to enable system accounting and that the IDS/9000
would pull its information from the accounting logs --
quite similar to enabling BSD process accounting on a
Linux box and configuring swatch or any kind of text
parser to look for troubling events.

I am, indeed, sorry if I misrepresented the product.
However, when we did our evaluation, the techs were
unable to produce any results that seemed to require
any heuristics or correlation that seemed integral to
a true IDS.

Allovair
--- mhtclark.net wrote:
>
>
> At 11:03 AM 1/11/2002 -0800, Mark Crosbie wrote:
> On Fri, 2002-01-11 at 10:22, mhtclark.net wrote:
> > It looked like a lot more than a fancy UI running
> swatch underneath it. It
> > appears that it interoperates with the HP-UX a
> lot stronger than
> > configuring swatch. ??
>
>
> >> My comments were back to the previous poster. I
> worded my reply wrong,
> what I meant was that it looked a bit more fancy
> than just a fancy UI with
> swatch underneath..
>
> The marketing fluff is a little bit lacking in the
> technical depth but
> compared to some product in other spaces, it isn't
> that bad overall and a
> lot easier to navigate through than some other
> products in the software
> testing space.. ;)
>
> /m
>
>
> Ouch! That hurt! Yes, it is a lot more complex that
> just running swatch
> on a logfile.
>
> It uses system call audit data derived from a
> special audit subsystem in
> the HPUX kernel (NOT the standard C2 audit system).
> The system call
> header information and arguments are gathered and
> analyzed in near
> real-time by our product to determine if a
> vulnerability exploit
> occured.
>
> Notice I say "near real-time": it does not use any
> hard real-time
> features of HPUX. Also I said "vulnerability
> exploit", not attack. The
> product detects the building-blocks of attacks, not
> the latest
> attack-du-jour from Bugtraq.
>
> While swatch is an excellent tool (I use it myself)
> you can't use it to
> analyze data that doesn't exist. No log file (that I
> know of on UNIX) is
> going to tell you that process id 12345 modified
> /etc/passwd by system
> call truncate() using the program /bin/vi with
> arguments "/bin/vi
> passwd" running as user 405 on tty 3. That's what
> IDS/9000 can do.
>
> So while on the surface it would appear that
> IDS/9000 looks like a fancy
> GUI over swatch, as you dig deeper into what the
> product does you may
> realize that it is a lot more powerful.
>
> If you don't realize this then we have done a poor
> job of documenting
> IDS/9000. Let me know if we need to beef up our
> outrageous marketing
> claims :-)
>
> Regards,
> Mark.
>
>
> > /m
> >
> > At 08:55 AM 1/11/2002 -0800, Allovair Entellon
> wrote:
> > >I've looked at this in the past. Our conclusion
> was
> > >that calling it a Host-based intrusion detection
> > >system was unfair, given how the product
> operated.
> > >You could duplicate 95% of the functionality
> with
> > >swatch and a good config file.
> >
> --
> Mark Crosbie IDS/9000 Product Architect
> http://www.hp.com/security/products/ids
> Hewlett-Packard MS 47 LA mcrosbiecup.hp.com
> 19447 Pruneridge Avenue (408) 447-2308
> Cupertino, CA 95014 (408) 447-6766 FAX
>

__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]