IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Host Based IDS

From: "Security Group" <secgro () gmail com>
Date: Mon, 1 Dec 2008 14:43:29 +0100
Hi,

First of all many thanks for your replies and excuse me for my late response.

Your requests for clarification are justified. I will describe the situation:

We have Windows servers (60+) with custom server applications (self
developed software) which are in the DMZ.

There is already a network based IDS present based on S-flow packets.

But since the DMZ is the first base on the way-in by any hacker we
want intrusion detection on the machines in the DMZ.

We now have a very simple IDS in place which monitors process starts.
This HIDS will report an alert if an abnormal process start will occur
 (i.e. a reverse shell will start cmd.exe in an abnormal fashion).
This is only one simple abnormality check on a host. We are wondering
if there are other host based IDS which check for abnormal process
start and much more (file integrity, event log, etc) .

Which HIDS will provide abnormality checking (process starts, event
log, file integrity, etc) on a host the best:
OSSEC
Open Source Tripwire
SAMHAIN
OSIRIS
AIDE
Third Brigade Deep Security
Symantec Critical System Protection
IBM Proventia
Enterasys Dragon IDS/IPS
McAfee Total Protection for Endpoint
CA Host-Based Intrusion Prevention System r8
GFiEventsManager
Cisco Security Agent

Btw are their HIDS that can detect all-in-memory exploits (without the
need of starting a process via the kernel)?

Thank you for your time and advice,
Timo Babel



2008/10/20 Erik Harrison <eharrison () gmail com>:

how many servers, os variations, what kind of changes are you looking
to detect? basic file changes are easy, it's the rest of it that's
complicated and functionality will vary. past that, reporting will be
important to the managers, execs and if you have a lot of other things
to manage - to you as well.

what exactly do you want to show them, will you need to back up any
other responses with relevant data from your org? any other compliance
or security initiatives in the company that you could support with the
package or product?


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: