Re: [PEN-TEST] Audit package

[Talisker <Talisker () NETWORKINTRUSION CO UK>]

Carv


> CMDS uses an expert system to perform
> statistical profiling by user or IP.  This allows
> thresholds for behavior to be set...so that over
> time, thresholds can be minimized, and only
> statistically significant events will cause
> alarms.

It does a little more than that, yes the profiling does seem to work.  eg I
had a report that user A triggered an alert and was out of profile, upon
investigation I discovered that she had just been given administrator
rights, I thought that was pretty cool, but the stat profiling is not it's
strength, it applies attack signatures to the sys/event logs, that is what
gives the good results.  However the tool is not perfect

This is  a rough write up from a while ago

++++++++++++++++++++++++++
Computer Misuse Detection System (KSE)

The Good the Ugly and the Bad

Overview

I have been evaluating this product extensively for the last few months, and
I love it!  CMDS is a host based IDS from Intrusion.com (formerly ODS).  It
collects event and syslogs from NT4.0, Solaris, Cisco routers, NetRanger,
RealSecure and Checkpoint FW-1, they reckon to be able to collect log data
from any source however I didn't try that.  This data is not only for bog
standard security events but also for attack signatures across multiple
logs, these are then classed according to their severity and displayed.

CMDS is highly configurable, the attack signatures can be written/altered
within CLIPS, no real programming skills are required for this, I found "cut
& plagerise" to be the best solution.  IMHO one of the best features is it's
recognition of events.  eg if an application passes information to an event
log that CMDS doesn't recognise, it passes it to the screen.  WAIT, I know
what you're thinking, masses of false positives.  Fortunately CMDS stores
them all on an MS SQL database, all new events are given a severity of 3,
after you assess the event, if it's nothing to worry about reduce it to 2 ie
below the threshold with a simple SQL query, however, if it is important eg
your antivirus product has detected a virus, you can raise the severity.
What this means is that CMDS misses nothing that you dont want it to. These
new events can be combined into an attack signature if you wish.  In those
first few weeks though, whilst it's learning you do have your work cut out,
approx 1 hour per day.

It's easy to install, the basic product and agent installation takes just a
few minutes.  The product upgrades are a little rough and need some TLC to
get them working.  The manager/database installation has a few minor
security niggles, ie you have to be logged on as Administrator (has anyone
not renamed this account) and for the SQL to run it has to run on the system
account, rather than a lower privileged user account.

Connections from the agent to the manager are at ports above 14000, I would
prefer to see this fixed to a few definate ports to make firewall
configuration easier.

Event logs are collected at the agent, compressed by a factor of 20 and sent
to the manager at intervals configurable between 1 minute and 15.  This can
be extended to send say once a day if you wish.  The downside of this is
that the local log is not retained in an easily readable form on the host,
this is going to be addresssed on a subsequent release.  Alternatively you
can may be able to make use of MS SQLs live html output feature whereby as
the database receives events a web page is updated with the information.
The system administrator of the concerned network can be given access to his
data through a secured view.

The agent cannot be installed on the manager and database.  A security tool
that cannot protect itself is inexcusable.

There is no heartbeat to alert to the failure of the agent on the host.
Again this is being looked at by Intrusion.