IDS mailing list archives

RE: using HIDS for change control

From: "Rivera,Angel L." <ARIVERA () mitre org>
Date: Fri, 26 Aug 2005 13:21:09 -0400

It has been a while since I used Tripwire but I believe you manually
run it

to detect changes - I think HIDS have two components - one checks at
the

network level - the other looks at system logs for specific events -
both in

close to real time. One assumption is that system logs are recording

changes to system configuration settings - Advantage of HIDS is the

detection in real time of this change - it also eases the burden of
having

to run tripwire repeatedly. The security person only needs to run
tripwire

if it detects a HIDS alert. 

-----Original Message-----
From: Ron Gula [mailto:rgula () tenablesecurity com] 
Sent: Thursday, August 25, 2005 5:25 AM
To: Rivera,Angel L.; focus-ids () lists securityfocus com
Subject: RE: using HIDS for change control

Yes. Tripwire does this. Their underlying technology detects change.

Ron Gula, CTO
Tenable Network Security


On Thu, 25 Aug 2005 5:21am, Rivera,Angel L. wrote:

Does anyone on this list know of a sponsor that is using HIDS to 
monitor
changes to a system's (Unix & Windows) configuration?

The goal is to build a server according to specs (this would include
hardening of the OS + agency specific security settings) then use a 
HIDS
to detect and alert on any changes.

Theoretically speaking, I know this can be done, but is anyone doing
this?

-----------------------------------------------------------------------
-

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to 
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.

-----------------------------------------------------------------------
-
--rgula

-----------------------------------------------------------------------
-
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
-----------------------------------------------------------------------
-


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

Current thread:

RE: using HIDS for change control Rivera,Angel L. (Aug 24)
- RE: using HIDS for change control Daniel Cid (Aug 25)
- RE: using HIDS for change control Ron Gula (Aug 25)
- <Possible follow-ups>
- RE: using HIDS for change control Evans, Arian (Aug 25)
- RE: using HIDS for change control Andrew Plato (Aug 27)
- RE: using HIDS for change control Rivera,Angel L. (Aug 27)