Re: Linux snares security tool

[InfoSec News <isn () c4i org>]

Forwarded from: security curmudgeon <jericho () attrition org>
cc: nicole.bellamy () zdnet com au, errata submission <errata () attrition org>

> http://www.zdnet.com/zdnn/stories/news/0,4586,2822782,00.html
>
> By Nicole Bellamy
> ZDNet Australia 
> November 6, 2001 5:46 PM PT
>  
> InterSect Alliance says it has developed the first integrated security
> auditing and event logging subsystem for the open source Linux operating
> system, beating much larger organizations to the punch. 

Unless there is more to it, this claim is completely wrong.

Hell, one could argue that "syslog" matches this description since it
will log audit related events.

> According to Leigh Purdie, director and principal security
> consultant, this is the first release of code for a host-based
> intrusion detection system, although there have been inroads made
> into the development of source code to address network-based
> intrusion detection.

Oh, so now its an IDS for Linux, and the first?

So i guess LIDS (www.lids.org) doesn't count?

And of course Marty over at Snort must be horribly disappointed by
this revelation. (www.snort.org)

And damn, the folks from Tripwire must be sawing at their wrists too.
Tripwire was opensource and running on Linux when.. 1992 or 1993?

Side note:

I have been told that the cluebag journalist Nicole Bellamy actually
had the nerve to say that her "experts" told her this load of shit,
despite this whole article reading like a press release. If true, her
experts are more in the field of snorting drugs it seems.

More amusing:

Google for "intrusion detection system linux" and the first two hits
are LIDS and Snort.

> The two systems differ in that while a network-based intrusion
> detection tool enables the user to determine when an intrusion is
> being attempted, the host-based system allows the user to identify
> when an intrusion has been successful.

Ok so we make the qualifiation of NIDS vs HIDS here, and that explains
Tripwire how?

> The Snare auditing subsystem is designed to "enhance an
> organizations ability to detect suspicious activity by monitoring
> system and user actions", as stated in its release report.

/yawn

This is old news in the IDS field. Also old news in the Linux IDS
field.

> Snare fills Linux security void
>
> The lack of integrated security features--perceived or actual--has
> long been a barrier to widespread Linux adoption.

So a ZDNet article mentioning YALBI (Yet Another Linux Based IDS) is
going to shatter that perception? Something tells me that if it were
really that easy, it would have been done by now.

http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2821245,00.html

October 30, 2001 

  "Three useful intrusion detection tools come with the OLS 3.1 package. 
  Tripwire lets you take a snapshot of a system's critical software
  executables and configuration files and later compare it with a snapshot
  of the current running system. The PortSentry module automatically
  monitors for port scans and unauthorized access attempts. And LogCheck
  digests large system log files and points out log entries that may
  indicate that a system has been compromised."

Oh I know, that was only 7 days before this article and you may not
have known about it yadda yadda /excuse etc.

http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2453339,00.html

February 29, 2000 

  Security mavens have long agreed that open-source security is the best
  security. It's a pity that their bosses usually disagree. Until now,
  that is. TripWire Inc., long a free-software proponent, has decided to
  cannonball into the open-source waters.

Now, did we forget to search ZDNet for articles on the very same thing
you are writing about now? Please, lets remember Journalism 101 here.

> According to an InterSect Alliance report, "the lack of host-based
> intrusion detection in the form of an auditing system, has been cited
> in the past by organizations as a significant contributor to the
> decision to choose alternative operating systems over Linux in
> operational roles."

What organizations? Where are these quotes?

> While working on similar tools for other operating systems, such as
> Sun's Solaris and Microsoft's Windows NT--all of which contained an
> audit collection subsystem--the company realized the lack of this
> feature in Linux, and "thought something was missing," according to
> Purdie.

Err, perhaps I am just out of the loop here, but what does Sun/Solaris
offer natively that Linux doesn't in the way of "audit collection
subsystems"? I haven't kept up with Solaris after 2.6 really but I
just don't see it offering that much more.

> While eight months seems minimal in software development terms, Purdie
> maintains that Snare is actually the culmination of ten year's work
> into the host-based intrusion detection system, added to a combined
> total of more than twenty year's experience in security for the
> directors.

So its based on ten years of work, yet is being released some *9*
years after Tripwire was? Why aren't "FRAUD" bells going off at this
point?

Gah. It is clear to me that this is a total fluff piece that could
pass for a press release with a few minor changes. No background was
done, no experts consulted. In fact, had Nicole Bellamy talked to
other *respected* ZDNet journalists who often write about security
past or present (Rob Lemos, Alexander Wellen, Michael Fitzgerald), she
would have realized what a joke this was, and what kind of complete
bullshit this company was spewing.

Chalk another up for Errata (http://attrition.org/errata/).

Oh, any insipid legal threats from Nicole Bellamy will be published
along with this errata. Since that seems to be her trend based on
talking to others. (For the ISN crowd: she has threatened to sick her
pet lawyers on someone who works in the open source community for
telling her this article was full of shit.)



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.