Information Security News mailing list archives
Re: Linux snares security tool
From: InfoSec News <isn () c4i org>
Date: Wed, 14 Nov 2001 09:07:49 -0600 (CST)
Forwarded from: "Ejovi B. Nuwere" <ejovi () ejovi net> From: "Nicole Bellamy" <nicole.bellamy () zdnet com au> Cc: "George Cora" <george.cora () intersectalliance com>, "Leigh Purdie" <Leigh.Purdie () intersectalliance com> Ejovi. As promised in my initial e-mail, I have looked into this matter and spoken with experts who actually have day-to-day experience and working knowledge of Linux and in particular, Linux security. They have advised me to rework my article slightly to include reference to C2-compliance--which is the most distinguishing factor of the new tool. I have run a proof by them and they are happy with the amendments, which I will be posting on our site now. Although I strongly disagree with your personal attacks against me, that is another matter and one which will be addressed --especially due to the fact that you have yet to remove or apologise for your slanderous comments. As for the infosec news list readers you have approached, please pass on to them my sincere thanks for their feedback and the notice of my amendment. It is interesting to note that in a community such as Linux, which is fighting daily against oppression from proprietary systems, members of this community would personally and professionally attack any journalist that gives weight to their fight, and attempts to expose brilliance in the ranks, rather than mistakes and vulnerabilities. It is surprising that such a community is not applauding its members who are attempting to make a difference rather than shooting down the messengers. By the way, if you intend to post this on your site, please feel free to use the entire e-mail this time, rather than just chosen excerpts. Also, my comments related to this story are my own, during initial e-mails and the follow-up since. Thanks again and regards. Nicole ----- Original Message ----- From: "Ejovi B. Nuwere" <ejovi () ejovi net> To: "Leigh Purdie" <Leigh.Purdie () intersectalliance com> Cc: "Nicole Bellamy" <nicole.bellamy () zdnet com au>; "George Cora" <george.cora () intersectalliance com> Sent: Saturday, November 10, 2001 8:14 AM Subject: Re: No Subject
Thanks for the response Leigh, As a security professional, you too must admit this article is misleading. Statements such as "InterSect Alliance says it has developed the first integrated security auditing and event..." alone is not true. The first C2 open source compliant product? Well that may be true. Since there arent many C2 compliant products out there, commercial or open source. I'd be willing to give you the benefit of the doubt. But this article states you are the first host based IDS for linux. Which is not true. And I've received several responses to my original email sent to ISN, Internet Security News, all of which agree with my opinion. So we will have to agree to disagree on this one. Respectfuly ejovi On Fri, Nov 09, 2001 at 03:11:46PM +1100, Leigh Purdie wrote:G'day Ejovi, Thanks for the comments below, hopefully I can answer your questions to your satisfaction. Many security tools have been available for Linux for a long time now, often being recompiled from applications developed for generic Unix systems. I've been a user of applications like tripwire, tcp wrappers, for a long time now. I think I first used tripwire in the early 1990s. I often encounter confusion from people as to the purposes of such tools. Many people, for example, feel that once a firewall is in place, a system is protected. You an I both know that it takes a large amount of network, host, and procedural security controls to make a site truely secure (and even then, there are still risks!). Just like you wouldn't call tripwire a firewall, nor is it similar to SNARE. Tripwire fills a void in security by providing an administrator with notification when a file is modified/added/changes permissions etc. LIDS fills another void by implementing mandatory access controls in the kernel and providing enhanced access control. However, one thing that Linux has been lacking for a long time now, is the "C2 style" user auditing capability. This is the role that SNARE fills. Many other operating systems, such as NT or Solaris, incorporate this feature, and many government departments refuse to install Linux, because there is no auditing capability. Having worked in an organisation like the Defence Signals Directorate (very much like the US National Security Agency (NSA)), I know the importance of security standards, and the reluctance of government to install hardware or software that does not meet certain standards. Hopefully, SNARE is a step in the direction of ensuring Linux meets those standards, and is able to be used more by government agencies, and large organisations that need to meet government standards. ZDNet seem to me, to be a very careful and capable news agency that are committed to correctly and accurately reporting a story. Nicole made sure that she undertook a comprehensive interview before releasing the story, and although no reporter can report verbatim what was discussed, I think the story is a fair and accurate reflection of SNARE's role in Linux. As such, if you believe that SNARE is of poor quality for an open source release, or you feel as though the capabilities are overstated, then please feel free to discuss it with us further. Drop me or George an email, or call us on the number available from the contact page. However, I don't think it's appropriate to accuse ZDNet of anything untoward. Some comments we have received from other users relating to SNARE might assist in reassuring you that the story was accurate: Daniel Swan, maintainer of the comp.os.linux.security frequently asked questions document: "Leigh, this looks quite impressive. I will be happy to include it in the FAQ. I will be releasing another version in a couple of weeks, so look for your product's inclusion then. I also look forward to trying it out myself." Martin Heerling, germany: "First I want to congratulate to snare - I was quite amazed about it. I like the "Objectives" approach with specifying patterns or regexps. That's definately cool." GuardianDigital, sellers of the Engarde linux distribution: "This is very interesting. .. Perhaps you'd be interested in working together in some capacity." Lance, USA: "Hello, This has got to be one of the most awesome utilities (SNARE) I've seen in Linux yet. Congratulations on the GREAT work done by you guys. So much information given, wow...what an improvement over other logging utilities...."From a government source:"Truth be told, SNARE looks like it could possibly overcome the last major hurdle to the 'legal' adoption of Linux in the U.S. military/government structure. While it's already endemic throughout the Department of Defense, there is a bit of a backlash coming due to the number of incidents coming in, and the lack of hard auditing data to help track down the miscreants." Regards, Leigh. On Fri, 2001-11-09 at 09:57, Ejovi B. Nuwere wrote:Bcc: Subject: Re: [ISN] Linux snares security tool Reply-To: In-Reply-To: <00d301c168a8$f92c29a0$b2e90ccb () zdnet com au>; from
nicole.bellamy () zdnet com au on Fri, Nov 09, 2001 at 09:59:08AM +1100
Leigh Purdie, please tell me how your product differs from LIDS. On Fri, Nov 09, 2001 at 09:59:08AM +1100, Nicole Bellamy wrote:Hi Ejovi. Thank you for your comments. ZDNet Australia values any feedback,
especially
when it relates to editorial quality, and/or accuracy. I have copied
in
Leigh Purdie, the CEO you mentioned, and an expert in Linux
security.
I consulted Linux 'experts' before going to print to check the
accuracy of
the article, which they did, and I am satisfied with responses I
received.
ZDNet Australia strives to provide an impartial, balanced view of
news in
the IT industry. As such, it is important to report on new
developments.
Often these are not controversial, and may seem to be complimentary
to the
company producing the technologies, this is not intended, nor
compensated in
any way. I personally have no affiliation with the company
mentioned, nor
the staff within it. However, I appreciate your comments and will endeavour to ensure the validity of them. As we speak, I have contacted various Aust Linux personalities to advise me on the accuracy of the claims you have
made. I am
sure you can understand the need to check facts and claims. Thanks again for your e-mail. Perhaps next time you have comments to
make
you could give me a call directly, and ascertain the accuracy of
your
comments. I hope I have assisted in whatever it is you hoped to achieve with
this
e-mail. Thanks and regards ________________________________________________ Nicole Bellamy News & Technology Producer ZDNet Australia, a CNET Networks Company PO Box 670 BROADWAY NSW 2007 Tel: +61 2 8514 9943 Fax: +61 2 9960 2953 http://www.zdnet.com.au http://www.gamespot.com.au _________________________________________________ ----- Original Message ----- From: "Ejovi B. Nuwere" <ejovi () ejovi net> To: "InfoSec News" <isn () c4i org> Cc: <nicole.bellamy () zdnet com au> Sent: Friday, November 09, 2001 7:20 AM Subject: Re: [ISN] Linux snares security toolDear Nicole, Is this an article or jibberish? Jibberish or a press release poorly cloaked as a article? What exactly do you mean by
intergrated?
Are you saying that all the major Linux distrubutions will include
this
as part of their base system install? Or are you saying that it works on Linux? I'm confused. I suspect
you
are too. Why did you not research the subject, if you had you
would have
found tripwire (http://www.tripwire.org/) which has been around
and
widely used for almost 10 years. What about quoting experts other then the company CEO? Either
you've
been had, or need a refresher course in journlistic intergrity. Your friend, ejovi On Wed, Nov 07, 2001 at 03:35:07AM -0600, InfoSec News wrote:http://www.zdnet.com/zdnn/stories/news/0,4586,2822782,00.html By Nicole Bellamy ZDNet Australia November 6, 2001 5:46 PM PT InterSect Alliance says it has developed the first integrated
security
auditing and event logging subsystem for the open source Linux operating system, beating much larger organizations to the
punch.
Its new tool, Snare (System iNtrusion Analysis and Reporting Environment) has been developed with a goal of reducing the cost
of
entry into system auditing and host-based intrusion detection
for
system managers, simplifying the process of configuration,
reducing
resource requirements and providing meaningful reporting to
end-users.
According to Leigh Purdie, director and principal security
consultant,
this is the first release of code for a host-based intrusion
detection
system, although there have been inroads made into the
development of
source code to address network-based intrusion detection. The two systems differ in that while a network-based intrusion detection tool enables the user to determine when an intrusion
is
being attempted, the host-based system allows the user to
identify
when an intrusion has been successful. Purdie believes that the lack of the Snare code has hindered the adoption of Linux into widespread use by organizations in
Australia.
By releasing Snare as open-source software, he hopes this will
"set
Linux on the path towards acceptance by organizations." The Snare auditing subsystem is designed to "enhance an
organizations
ability to detect suspicious activity by monitoring system and
user
actions", as stated in its release report. Given the current debate surrounding staff-monitoring, Purdie
was
quick to point out that InterSect Alliance is not responsible,
nor
accountable for, any privacy infringements occuring as a result
of
organizations using this system. However, the company does
intend to
provide privacy recommendations to organizations as a part of
its
training on the product. "Privacy is critical in a lot of institutions. When we provide solutions we recommend one of the things they (organizations) implement is staff contact; to let staff know what is happening,
why
it's happening, what data is being used for," said Purdie. Snare fills Linux security void The lack of integrated security features--perceived or
actual--has
long been a barrier to widespread Linux adoption. According to an InterSect Alliance report, "the lack of
host-based
intrusion detection in the form of an auditing system, has been
cited
in the past by organizations as a significant contributor to the decision to choose alternative operating systems over Linux in operational roles." InterSect Alliance decided to pursue the Snare project as a
means of
addressing this shortcoming and therefore boost Linux' appeal. While working on similar tools for other operating systems, such
as
Sun's Solaris and Microsoft's Windows NT--all of which contained
an
audit collection subsystem--the company realized the lack of
this
feature in Linux, and "thought something was missing," according
to
Purdie. What followed was eight months of effort and "not having a
life", said
George Cora, director and principal security consultant. While eight months seems minimal in software development terms,
Purdie
maintains that Snare is actually the culmination of ten year's
work
into the host-based intrusion detection system, added to a
combined
total of more than twenty year's experience in security for the directors. The short time to market can also be attributed to three other factors, according to Cora: "We have the programming skills, we
have a
small company that is not bureaucratic, and we put aside the established OSes (operating systems) and started from scratch." He also maintains that the presence of the open-source community allowed them a shorter development time. InterSect Alliance does not have the infrastructure in place to distribute Snare commercially, but by using the open-source
community,
it was able to release the software quickly, to a widespread
audience.
Cora believes that releasing Snare as open source should also
lead to
a faster uptake of the product itself. "If we had tried to commercialize this [rather than releasing as open-source software], people would be less eager to use it due
to the
cost of entry associated with it," Cora said. This lowered cost of entry is the ingredient that will ensure
much of
the product's success. Already InterSect Alliance has received pre-release queries from local--and global--organizations. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo () attrition org with 'unsubscribe
isn' in
the BODYof the mail.ejovi nuwere http://www.ejovi.netejovi nuwere http://www.ejovi.net-- Leigh Purdie, Director - InterSect Alliance Pty Ltd http://www.intersectalliance.com/ejovi nuwere http://www.ejovi.net
----- End forwarded message ----- ejovi nuwere http://www.ejovi.net - ISN is currently hosted by Attrition.org To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY of the mail.
Current thread:
- Linux snares security tool InfoSec News (Nov 07)
- <Possible follow-ups>
- Re: Linux snares security tool InfoSec News (Nov 09)
- Re: Linux snares security tool InfoSec News (Nov 09)
- Re: Linux snares security tool InfoSec News (Nov 09)
- Re: Linux snares security tool InfoSec News (Nov 12)
- Re: Linux snares security tool InfoSec News (Nov 12)
- Re: Linux snares security tool InfoSec News (Nov 12)
- Re: Linux snares security tool InfoSec News (Nov 13)
- Re: Linux snares security tool InfoSec News (Nov 13)
- Re: Linux snares security tool InfoSec News (Nov 14)
- Re: Linux snares security tool InfoSec News (Nov 15)