RE: Looking for Host Based IDS

From: George Milliken (gmilliken@farm9.com)
Date: 12/17/01 

From: "George Milliken" <gmilliken@farm9.com>
To: "'Greg Shipley'" <gshipley@neohapsis.com>, "'Guy Fighel'" <GuyF@xpert.com>
Date: Mon, 17 Dec 2001 09:32:49 -0800

We have found Stormwatch to work well in protecting NT systems / Win2K.
Particularly when they are down a level on service packs.

It hooks the system calls and checks them against a policy. Trapping
bad behaviors in stead of inbound signatures of bad code/data.

We have found in testing that a default Win2K box (no service packs)
stops Nimda / Code Red cold if Okena is running. AV only stops it if it
matches the exact signature.

This is intrusion prevention, not detection per se. Although of course,
the logs are written so you can detect the event.

We are biased. We are an Okena reseller.

Regards,

George Milliken, CEO
------------------------------------------------------
farm9 Managed Security Solutions
http://www.farm9.com
------------------------------------------------------

-----Original Message-----
From: Greg Shipley [mailto:gshipley@neohapsis.com]
Sent: Monday, December 17, 2001 9:02 AM
To: Guy Fighel
Cc: focus-ids@securityfocus.com
Subject: Re: Looking for Host Based IDS

On Mon, 17 Dec 2001, Guy Fighel wrote:

> Can someone recommend about a good Host Based IDS that looks for
> suspicious operating system processes? I need the ability to write a
> specific policy for specific system processes and need that the IDS
> will report about any modifications.

While I wouldn't classify it as an IDS, Okena's "Storm Watch" product
gives you the ability to monitor system calls and alert/block actions
that go outside the process' "profile." It does not look for rogue
processes, but you can create policies that watch all existing
processes. It's a cool concept, although I think it's only available on
NT/2000 right now.

You might want to check it out, depending on what you are trying to do.

-Greg

Quantcast