Re: Experiences with Immunity's El Jefe

[Ron Gula <rgula () tenable com>]

On 6/5/2011 9:02 AM, Marius wrote:
> Hi!
>
> Since no one answered, I'll try my best here.
>
> On 24 May 2011 16:04, Beetz <beetz.security () gmail com> wrote:
> > I'd be interested to hear the community's experiences with El Jefe - for
> > example has anyone deployed it in a limited basis in a production
> > environment,
>
> First of all I would recommend the ElJefe mailing list. You'll have
> better luck finding experience there.
>
> I deployed ElJefe and beta-tested several releases. The interesting
> point for me was seeing it log me exploiting applications on Windows
> hosts. For a VM hacking lab ElJefe is quite recommendable. But for a
> large production environment I'd only monitor important key assets and
> not every application due to false-positives and performance issues.

Hi Marius,

I'm a big fan of performing process monitoring and would love more
feedback from you.

What sort of performance issues did you see? Did the OS run slower with
this level of monitoring? I'm curious what level of performance you
already had before installing ElJefe. I'm also curious what impact to
the system something like enabling process audit logging (if you are
windows) may have had. This is how we gather logs like that for our
Tenable products.

Also, what kind of false positvies did you see? Were there actual cases
where a process was logged running by ElJefe yet it wasn't there?

Lastly, I agree it does take effort to gather logs and focusing on your
servers is better than not logging any processes at all. However, I
strongly recommend you at least enable process accounting on your
desktop/laptop systems and collect this information.

-- 
Ron Gula, CEO
Tenable Network Security
http://www.tenable.com



_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com