Security Basics mailing list archives
RE: HIDS recommendations
From: "David Gillett" <gillettdavid () fhda edu>
Date: Fri, 12 Sep 2003 14:02:47 -0700
There's another category, which include Entercept and the technology Okena (sp?) built before being acquired by Cisco. These essentially insert shims into key API/syscall interfaces, and log/alert/block calls which are identified as "dangerous". I was running Entercept on a server when a co-worker plugged in a laptop that had a virus that replaced notepad.exe. Norton AntiVirus caught the infected version of notepad.exe when it got written to the server's hard drive; Entercept told me which machine had tried to replace a Windows system file.... David Gillett
-----Original Message----- From: Jimi Thompson [mailto:jimit () myrealbox com] Sent: September 11, 2003 21:16 To: tdominico () kermantel net; security-basics () securityfocus com Subject: Re: HIDS recommendations Tripwire isn't really intrusion detection, it's more change control. File X was changed on date Y at time Z. If you want HIDS, you have a three basic groups of choices of open source products - the firewall types like IPChains/Tables and TCPWrappers and the log watchers like well, logwatch and scour. Then there's this guy http://freshmeat.net/projects/idea/?topic_id=152%2C245%2C43%2C1017 I haven't had much chance to play with it yet, but it looks quite promising. HTH, Jimi At 9:28 AM -0700 9/11/03, Tom Dominico, Jr. wrote:I am interested in using a host-based IDS for a few of ourservers thatface the Internet and are most vulnerable. The only productI am evenslightly familiar with is Tripwire, which apparently comesin free andnon-free variants. I am interested in your experiences and recommendations. Eventually I would like to team this upwith some sortof NIDS, but that's a fairly large undertaking, from whatI've gathered.I thought that it might be easier to start off with HIDS. My servers are currently Windows-based, but there will most likely be a Linux or BSD box in the mix very shortly. They run basic servicessuch as web,mail, etc. Any thoughts? Thanks. Tom Dominico ---------------------------------------------------------------------------Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ---------------------------------------------------------------------------- -------------------------------------------------------------- ------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm -------------------------------------------------------------- --------------
--------------------------------------------------------------------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ----------------------------------------------------------------------------
Current thread:
- HIDS recommendations Tom Dominico, Jr. (Sep 11)
- RES: HIDS recommendations Eduardo Sanches (Sep 11)
- Re: HIDS recommendations Jimi Thompson (Sep 12)
- RE: HIDS recommendations David Gillett (Sep 12)
- <Possible follow-ups>
- RE: HIDS recommendations Megan Golding (Sep 12)