Re: Low cost HID based IDS system

["SecurIT Informatique Inc." <securit () iquebec com>]

Hello all.  It just happen that I will be releasing at the end of the week 
just what you are looking for.  I will be releasing on my company website 
(http://securit.iquebec.com) a series of tools, some of them updates to 
existing ones, and some completely new, and I think that taken together the 
package will probably change the way we look at intrusion detection.

First of all, I will be releasing LogAgent 4.0, both in Open Source and Pro 
version.  This is a tool for monitoring and centralising ascii log files 
and the Events from the Event Viewer.  New with version 4.0 is that there 
is 2 companion tools that ships freely with it,and are completely Open 
Source.  These tools are ADSScan, an alternate data streams scanner, and 
the combo HashGen and IntegCheck, that is a classical HID system.  These 2 
tools doesn't require necessarily LogAgent to run, altough it needs one of 
its configuration file.  They are command prompt tools, the Pro version 
offers some more functionality (produces some forensics-related data), 
ships with a 5-machines license, and licensing costs will be low enough to 
make it affordable to deploy on each host on the network, not simply the 
servers (exact prices still have to be determined, see my webpage next week 
for numbers).

As a side tool, there is also ComLog 1.05, available both in Open Source 
and Pro versions, which is a Command Prompt logger, useful to monitor 
activities taken by crackers on compromised machines.  Sessions are kept in 
ascii log files, which can then be centralized with LogAgent.

And finally, what will probably be of themost interest for you, the 
console, is handled by my most recent tool, LogIDS 1.0, also available in 
Open Source and Pro versions (Pro contains more features, such as automatic 
handling of ComLog, Event Viewer or Snort logs), and can be bestly 
described as a multi-windowed log monitoring and analysis intrusion 
detection system.  What I mean by "multi-windowed" is that unlike the other 
"log analysis" softwares out there, my GUI is not a simple display of log 
lines after log lines in one single screen; instead, the GUI represents a 
logical representation of your network map, where each node (be it a 
machine or a subnet) has its own window where logs relating to this machine 
will get displayed.  LogIDS also comes with intuitive icons that can help 
visualize the actions reported by the logs even before you actually look at 
the data, and can emit sounds for alerts and warnings.  The cost wil also 
be affordable, and will include licenses for LogAgent as well.  The main 
strenght of this tool is that is gains for the strenghts of the other 
security tools deployed in your environment : HID (IntegCheck and ADSScan), 
Event Viewer, ComLog, supplemental data generated by LogAgent 4.0 Pro, but 
also popular NID Snort, personal firewalls like ZoneAlarm or Outpost, and 
antivirus, just to name a few.

I will not make this e-mail any longer describing these tools, to make them 
real justice I'd almost have to put the whole doc.  But this should be 
enough to explain the main principles behind these tools and how they can 
help you (and many others, I hope) in your task.  I will publish 
announcements in the mailing lists when these softwares are available 
online, but you can expect it by the end of this week or the beginning of 
the next.

Hope this helps.

Adam Richard, aka Floydman
http://securit.iquebec.com
securit () iquebec com

At 01:17 AM 16/05/2003, Zach Forsyth wrote:

> Hi,
>
> I just wanted to ask if anyone out there had some ideas in regards to
> deploying a low cost HID based IDS system.
> The problem I have is that a few of our clients are quiet small and
> whilst I would love to deploy a NID out to all of them they just can't
> justify that sort of cost.
> I need to set up a managed type of IDS service that is centrally
> controlled by us and has a low cost per month to all of our clients.
>
> My plan would be to use HID type server sensors where needed and have
> them all feeding information back to a console that is centrally
> managed.
> The per server cost is then low enough to keep clients interested and
> the centralized console cost is split over multiple clients on a monthly
> basis.
> I can see that they would all be happy paying those sorts of costs.
>
> Although, I don't want to deploy this if it is not likely work in a full
> production environment, and provide accurate timely results to the
> central console.
>
> Has anyone else set up something similar to this?
> Can anyone see any problems or and alternative solution?
>
> I realise that there is a huge amount of variables that dictate the the
> configuration and requirements for a system such as this, but I am
> looking for some general ideas and discussion from people that have a
> lot more knowledge than me with this type of deployment.
>
> Any help would be appreciated.
>
> Thanks in advance
>
> Zach
>
> -------------------------------------------------------------------------------
> INTRUSION PREVENTION: READY FOR PRIME TIME?
>
> IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities
> - including intrusion identification, relevancy, direction, impact and 
> analysis
> - enabling a path to prevention.
>
> Download the latest white paper "Intrusion Prevention: Myths, Challenges, 
> and Requirements" at:
> http://www.securityfocus.com/IntruVert-focus-ids2
> -------------------------------------------------------------------------------
>
> _____________________________________________________________________
> Envie de discuter en "live" avec vos amis ? Télécharger MSN Messenger
> http://www.ifrance.com/_reloc/m la 1ère messagerie instantanée de France

-------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?

IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities 
- including intrusion identification, relevancy, direction, impact and analysis 
- enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: 
http://www.securityfocus.com/IntruVert-focus-ids2
-------------------------------------------------------------------------------