RE: HIDS recommendations

["David Gillett" <gillettdavid () fhda edu>]

  There's another category, which include Entercept and the 
technology Okena (sp?) built before being acquired by Cisco.
These essentially insert shims into key API/syscall interfaces,
and log/alert/block calls which are identified as "dangerous".
  I was running Entercept on a server when a co-worker plugged
in a laptop that had a virus that replaced notepad.exe.  Norton
AntiVirus caught the infected version of notepad.exe when it got
written to the server's hard drive; Entercept told me which 
machine had tried to replace a Windows system file....

David Gillett


> -----Original Message-----
> From: Jimi Thompson [mailto:jimit () myrealbox com]
> Sent: September 11, 2003 21:16
> To: tdominico () kermantel net; security-basics () securityfocus com
> Subject: Re: HIDS recommendations
>
>
> Tripwire isn't really intrusion detection, it's more change control. 
> File X was changed on date Y at time Z.  If you want HIDS, you have a 
> three basic groups of choices of open source products -  the firewall 
> types like IPChains/Tables and TCPWrappers and the log watchers like 
> well, logwatch and scour.
>
> Then there's this guy
>
> http://freshmeat.net/projects/idea/?topic_id=152%2C245%2C43%2C1017
>
> I haven't had much chance to play with it yet, but it looks 
> quite promising.
>
> HTH,
>
> Jimi
>
>
> At 9:28 AM -0700 9/11/03, Tom Dominico, Jr. wrote:
> > I am interested in using a host-based IDS for a few of our 
> servers that
> > face the Internet and are most vulnerable.  The only product 
> I am even
> > slightly familiar with is Tripwire, which apparently comes 
> in free and
> > non-free variants.  I am interested in your experiences and
> > recommendations.  Eventually I would like to team this up 
> with some sort
> > of NIDS, but that's a fairly large undertaking, from what 
> I've gathered.
> > I thought that it might be easier to start off with HIDS.  My servers
> > are currently Windows-based, but there will most likely be a Linux or
> > BSD box in the mix very shortly.  They run basic services 
> such as web,
> > mail, etc.  Any thoughts?  Thanks.
> >
> > Tom Dominico
> >
> >
> > -------------------------------------------------------------
> --------------
> > Captus Networks
> > Are you prepared for the next Sobig & Blaster?
> >  - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
> >  - Precisely Define and Implement Network Security
> >  - Automatically Control P2P, IM and Spam Traffic
> > FIND OUT NOW -  FREE Vulnerability Assessment Toolkit
> > http://www.captusnetworks.com/ads/42.htm
> > -------------------------------------------------------------
> ---------------
>
>
> --------------------------------------------------------------
> -------------
> Captus Networks 
> Are you prepared for the next Sobig & Blaster? 
>  - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
>  - Precisely Define and Implement Network Security 
>  - Automatically Control P2P, IM and Spam Traffic 
> FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
> http://www.captusnetworks.com/ads/42.htm
> --------------------------------------------------------------
> --------------

---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------