RE: Host based IDS methodology and testing
From: Abe L. Getchell (abegetchell@home.com)Date: 10/27/01
- Previous message: Curt Wilson: "Host based IDS methodology and testing"
- In reply to: Curt Wilson: "Host based IDS methodology and testing"
- Next in thread: Michael Coliton: "Re: Host based IDS methodology and testing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Abe L. Getchell" <abegetchell@home.com> To: "Curt Wilson" <cwilson@denmac.com> Subject: RE: Host based IDS methodology and testing Date: Sat, 27 Oct 2001 16:51:22 -0400 Message-ID: <KGEFLOCBFLJIAFPNJMHDOEJCCAAA.abegetchell@home.com>
Hi Curt,
I've successfully deployed Snort as a HIDS on a number of production servers
ranging from Windows 2000 to Red Hat Linux boxes. Snort works great in this
role, but being somewhat of a raw tool 'out of the box' can make centralized
administration and management (log collection, signature synchronization,
etc) a chore in a large deployment.
That being said, I'm currently working on set of tools to aid the
administration and management of Snort in a HIDS setup, for large
deployments, across a diverse set of platforms. Said tools are written in
Java, as it was the only language which met the requirements for what I am
trying to accomplish. I'm about 75% done with these tools (the
functionality is there, now I just need to add crypto and authentication
mechanisms) and will most likely make them publicly available when I'm
finished if there's enough interest.
Your basic requirements for a HIDS (cover a broad range of attacks and run
on multiple platforms) is almost identical to that of what my organization's
basic requirements were when we were evaluating products. We found that
Snort best fit what we were looking for... and had the added benefit of
being free. =)
Happy testing.
Thanks,
Abe
-- Abe L. Getchell Security Engineer abegetchell@home.com> -----Original Message----- > From: Curt Wilson [mailto:cwilson@denmac.com] > Sent: Friday, October 26, 2001 4:20 PM > To: focus-ids@securityfocus.com > Subject: Host based IDS methodology and testing > > > > We are in the process of reviewing various host based IDS tools. > So far, we've taken a look at Entercept (The Cisco version) and > are preparing to look at NetworkIce/ISS, and NFR Secure Log > Repository (SLR). Entercept and BlackIce seem to take a step > beyond the detection methodology and actually prevent attacks. > Then there are specific tools for IIS, such as SecureIIS and > urlscan, but we want something more broad that can cover more > ground. Ideally, the tool would work on nt/2k, and various > flavors of unix. > > In this process, I would like to put together or find a > methodology that others have used to test host based IDS. If I > can't find one I'll make one myself, but wanted to avoid > recreating the wheel if possible. > > Any production experience with any of the above products, or any > host ids products not mentioned, would also be helpful. Please > write me at curtw@denmac.com or post to the list if appropriate. > > Thanks > > > > Curt Wilson > Security Engineer > Denmac Systems Inc. > curtw@denmac.com > >
- Previous message: Curt Wilson: "Host based IDS methodology and testing"
- In reply to: Curt Wilson: "Host based IDS methodology and testing"
- Next in thread: Michael Coliton: "Re: Host based IDS methodology and testing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
