Re: Host based IDS methodology and testing

From: Michael Coliton (mcoliton@twmi.rr.com)
Date: 10/29/01 

Message-ID: <008501c16020$4d2d29f0$2ceca918@atllt0101>
From: "Michael Coliton" <mcoliton@twmi.rr.com>
To: "Curt Wilson" <cwilson@denmac.com>, <focus-ids@securityfocus.com>
Subject: Re: Host based IDS methodology and testing
Date: Sun, 28 Oct 2001 21:20:36 -0500

Curt,

I've been involved with multiple HIDS products. There are some fine
products out there. I would first focus on the areas of OS support ans
Scalability. First start by determining the products that support all
of your OS' or at least all of your critical OS'. Then understand the
scalability behind each product set. There are some fine mature
Enterprise HIDS on the market that I see were not mentioned.

Two you may wish to consider are Enterasys Dragon, and Symantec (formerly
Axent) ITA. Dragon has a nice interface with its NIDS, while I don't
recall any product scaling up to ITA.

If you do have the time, check out Snort. You will need to do some
engineering for a Host environment, but Marty Roesch (developer of Snort)
has started his own business www.Sourcefire.com and may be able to provide
help for you. I know its something I would do if I were in your shoes.

Good luck,

----- Original Message -----
From: "Curt Wilson" <cwilson@denmac.com>
To: <focus-ids@securityfocus.com>
Sent: Friday, October 26, 2001 3:20 PM
Subject: Host based IDS methodology and testing

We are in the process of reviewing various host based IDS tools. So far,
we've taken a look at Entercept (The Cisco version) and are preparing to
look at NetworkIce/ISS, and NFR Secure Log Repository (SLR). Entercept and
BlackIce seem to take a step beyond the detection methodology and actually
prevent attacks. Then there are specific tools for IIS, such as SecureIIS
and urlscan, but we want something more broad that can cover more ground.
Ideally, the tool would work on nt/2k, and various flavors of unix.

In this process, I would like to put together or find a methodology that
others have used to test host based IDS. If I can't find one I'll make one
myself, but wanted to avoid recreating the wheel if possible.

Any production experience with any of the above products, or any host ids
products not mentioned, would also be helpful. Please write me at
curtw@denmac.com or post to the list if appropriate.

Thanks

Curt Wilson
Security Engineer
Denmac Systems Inc.
curtw@denmac.com