Penetration Testing mailing list archives
Re: [PEN-TEST] Audit package
From: Talisker <Talisker () NETWORKINTRUSION CO UK>
Date: Thu, 28 Sep 2000 21:12:10 +0100
H Carvey hit the nail on the head with this
However, keep in mind...regardless of what system you're on, no sort or parsing tool will work if the information isn't being logged. For much of what you're looking for on NT, you need to pay attention not only to the EventLog settings, but ACLs, as well.
Great point, unfortunately one that can't be repeated enough. Another tool to throw into the equation is KSE (formerly) CMDS that will check logs from Solaris, NT, Cisco etc and look for attack signatures. Moreover, and probably what you were after, you can tag certain users and follow their activities What (IMHO) sets KSE above some of the other HIDS is that it passes all logs to the manager and stores them on an SQL database, any info you want can be gleaned from a simple query. There is a plethora of commercial HIDS it's worth spending a little time to find out which one best meets your requirements Abacus Project Centrax EMERALD eXpert-BSM E-Trust Audit KSM Precis Appshield CMDS Entercept Intruder Alert Nocol RealSecure Agent auditGUARD Dragon Squire Entercept Web SE Kane Secure Enterprise KSE praesidium Swatch Theres a description on each and links to the vendor sites on my site below http://www.networkintrusion.co.uk/ The IDS List ''' (0 0) ----oOO----(_)---------- | The geek shall | | Inherit the earth | -----------------oOO---- |__|__| || || ooO Ooo The opinions contained within this transmission are entirely my own, and do not necessarily reflect those of my employer. ----- Original Message ----- From: "H Carvey" <keydet89 () YAHOO COM> To: <PEN-TEST () SECURITYFOCUS COM> Sent: Wednesday, September 27, 2000 6:14 PM Subject: Re: [PEN-TEST] Audit package
I'd like to throw a couple of other tools into the mix, specifically regarding NT... NTObjectives has NTLast, which might also be useful. Of course, using Perl is a great answer. I've written several scripts that pull the EventLogs from NT systems...all that needs to be done is the proper sorting/parsing. However, keep in mind...regardless of what system you're on, no sort or parsing tool will work if the information isn't being logged. For much of what you're looking for on NT, you need to pay attention not only to the EventLog settings, but ACLs, as well.
Current thread:
- [PEN-TEST] Audit package Michael Graham (Sep 27)
- Re: [PEN-TEST] Audit package Frank Heyne (Sep 27)
- Re: [PEN-TEST] Audit package Peter Rietveld (Sep 27)
- <Possible follow-ups>
- Re: [PEN-TEST] Audit package H Carvey (Sep 27)
- Re: [PEN-TEST] Audit package Talisker (Sep 28)
- Re: [PEN-TEST] Audit package Hiromi Yanaoka (Sep 29)
- Re: [PEN-TEST] Audit package Talisker (Sep 29)
- Re: [PEN-TEST] Audit package Talisker (Sep 28)
- Re: [PEN-TEST] Audit package Richard Hutchinson (Sep 28)
- Re: [PEN-TEST] Audit package Jensen, Greg (Sep 28)
- Re: [PEN-TEST] Audit package H Carvey (Sep 29)
- Re: [PEN-TEST] Audit package Mark Teicher (Sep 29)
- Re: [PEN-TEST] Audit package Talisker (Sep 30)