Re: [PEN-TEST] Audit package

[Hiromi Yanaoka <yanaoka () LAC CO JP>]

   "Re: [PEN-TEST] Audit package"
   "Talisker <Talisker () NETWORKINTRUSION CO UK>" wrote:

> Theres a description on each and links to the vendor sites on my site below
> http://www.networkintrusion.co.uk/ The IDS List

I have checked this well-summarized page of IDS List.

My search focus for IDS is which HIDS applies BSM on Solaris.
I understand that BSM is a powerful way of detecting and tracing
intrusions on the host-base.  Yet, it is not widely known for lack
of good documentation.

You can also find a list of HIDS from:
http://www.securityfocus.com/templates/tools_category.html?
category=17&platform=&path=[%20intrusion%20detection%20][%20host%20]

In addition, there are some good papers such as
http://www.securityfocus.com/focus/ids/articles/idsbsm.html
http://www.ce.chalmers.se/staff/sax/unix-sec-log.pdf
and others...

Since BSM keeps logs at a very low level(system call level) and
provides details on what actually an intruder did, BSM is a
nice tool for forensic cases as well.  Yet, this means also you
end up with huge logs which are incomprehensible and unreasonable
to trace with human beings' eyes.  Therefore, there is no use unless
there is a system which interprets to the human readable as the
paper above points out you need some kind of scripts or something
to make BSM more useful.  Although BSM includes some utilities
their features are limited.  If you want to *analyze* logs, it needs
something else.

So, my question leads to which ones are the one that are making BSM
more useful.  Please forgive me if my question overlaps some of
the threads from IDS ML and if this is unrelated for this ML.

> From what I have found out so far, those using BSM are as follows
(from Talisker's post):

> EMERALD eXpert-BSM
> RealSecure Agent  auditGUARD

#Since my due for the search is coming up, I have decided to
#throw a question here.


Thanx.

Ciao

--Hiromi