Re: Need some information on HIDS!

["SecurIT Informatique Inc." <securit () iquebec com>]

Hello.  I have already invoked such a scenario in some of my previous IDS 
work/articles.  What I had in mind is something like encrypting the whole 
network traffic, to prevent sniffing from intruders (let's say wall-to-wall 
SSH, for example).  In such an environment, if you still wanted to keep 
some NIDS capabilities, you'd actually have to install NIDS software (Snort 
comes to mind) on every host on the network, in non-promiscuous mode (since 
sniffing the rest of the network traffic is useless, since it is encrypted).

I had the opportunity to discuss this possibility with Allan Paller of SANS 
and with Eugene Schultz last year during the Seguridad en Computo 
conference in Mexico, and they agreed with me that theoritically and 
technically, this should be working.  However, in practice, they oversaw 
the chance that the volume of logs to analyze would simply be too enormous 
to be analyzed, even with the aid of specialized software.

The log management problematic raised in my mind long before I was playing 
with such ideas as host-based NIDS, and I think that these problems can be 
overridden with real-time and distributed log analysis, coupled with the 
rest of the security measures present on the network.  That's one of the 
reasons that lead me to develop LogAgent, LogIDS and LogMonitor, a set of 
agent and consoles for monitoring, analysing and displaying logs.  I also 
made a bunch of other HIDS tools.  They can be downloaded at 
http://securit.iquebec.com/ (the website may be slow, i'm working on 
improving these conditions soon).

I don't know if this is what you had in mind, but I'd like to hear what 
other people may think about this topic.

Adam Richard, aka Floydman
SecurIT Informatique Inc.

At 03:51 AM 25/02/2005, peng xuena wrote:

> hi, all:
>
> Recently, i am interested in host-based IDS and want to design a 
> host-based network traffic monitoring system which monitoring the network 
> traffic of local host. I wonder if there is already any such system. Can 
> all of you give me some suggestions on this?
>
> Thanks a lot!
>
>
> --------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from
> CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> --------------------------------------------------------------------------
>
> _____________________________________________________________________
>
> Envie de discuter gratuitement avec vos amis ?
> Téléchargez Yahoo! Messenger http://yahoo.ifrance.com
>
>
>
> --
> No virus found in this incoming message.
> Checked by AVG Anti-Virus.
> Version: 7.0.300 / Virus Database: 266.5.1 - Release Date: 27/02/2005


--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 266.5.1 - Release Date: 27/02/2005



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------