Host based IDS methodology and testing

From: Curt Wilson (cwilson@denmac.com)
Date: 10/26/01 

Message-Id: <sbd97f4e.087@denmac.com>
Date: Fri, 26 Oct 2001 15:20:19 -0500
From: "Curt Wilson" <cwilson@denmac.com>
To: <focus-ids@securityfocus.com>
Subject: Host based IDS methodology and testing

We are in the process of reviewing various host based IDS tools. So far, we've taken a look at Entercept (The Cisco version) and are preparing to look at NetworkIce/ISS, and NFR Secure Log Repository (SLR). Entercept and BlackIce seem to take a step beyond the detection methodology and actually prevent attacks. Then there are specific tools for IIS, such as SecureIIS and urlscan, but we want something more broad that can cover more ground. Ideally, the tool would work on nt/2k, and various flavors of unix.

In this process, I would like to put together or find a methodology that others have used to test host based IDS. If I can't find one I'll make one myself, but wanted to avoid recreating the wheel if possible.

Any production experience with any of the above products, or any host ids products not mentioned, would also be helpful. Please write me at curtw@denmac.com or post to the list if appropriate.

Thanks

Curt Wilson
Security Engineer
Denmac Systems Inc.
curtw@denmac.com