Re: Entercept HIDS Question

["gatekeeper" <gatekeeper () globenet com ph>]

We bought Entercept along with Cisco IDS 4250 appliance (Entercept used to
be Cisco HIDS, now Cisco packaged the Okena HIDs). We had it running both
for Windows and Solaris. No issues on Windows we have our signature
fine-tuned via Console Manager. On Unix, process penalty is about 3-4% on
normal operation. I say normal because one have to understand that Entercept
sits around the kernel. It catches sys call from apps and validates them
against specific signature (for known attacks) or generic signature (use to
catch unknown attacks). This works because sys calls are clearly documented
in such a way that a deviation would surely be tagged as malicious. So the
process would depend on the number of such calls.

I think this concept is nothing different to a hacker methodology of
redirecting sys calls to a trojaned binary, only it is being used here in a
noble way ;-)

You can find evaluation report at www.nss.co.uk

regards,
jun g.
"hiding in plain sight"

----- Original Message ----- 
From: <Josh.Berry () compucom com>
To: <sam () neuroflux com>
Cc: <focus-ids () securityfocus com>
Sent: Wednesday, March 03, 2004 2:25 AM
Subject: RE: Entercept HIDS Question


My company bought Entercept and then immediately removed it from
production if that tells you anything.  It caused blue-screen's like
crazy, huge performance issues, and blocked an inordinate amount of
allowed traffic.  This was even in detect only mode.

-----Original Message-----
From: sam () neuroflux com [mailto:sam () neuroflux com]
Sent: Tuesday, March 02, 2004 11:31 AM
To: focus-ids () securityfocus com
Subject: Entercept HIDS Question

Hello..  We are currently in the process of selecting a HIDS based
product, and according to the Entercept sales person, they claim that
the
product has a feature that works very much like Tripwire.

My question here, is how much overhead does it add to a server, to watch
the filesystem in real time?  And, if we already have Tripwire, would
their File Integrity checking process be enough to replace Tripwire?

And, if anyone is currently using the Entercept HIDS product, I'm
wondering how easily it can be managed (not only from the HIDS piece,
but
from the file integrity standpoint -- excluding files, creating
policies,
etc.)

Thanks!
-Sam



------------------------------------------------------------------------
---
Free 30-day trial: firewall with virus/spam protection, URL filtering,
VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with
Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total
cost of
ownership.

Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_focus-ids_040301
------------------------------------------------------------------------
---




---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with
Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost
of
ownership.

Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_focus-ids_040301
---------------------------------------------------------------------------



---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at 
http://www.securityfocus.com/sponsor/Astaro_focus-ids_040301
---------------------------------------------------------------------------