Re: Looking for Host Based IDS
From: Mark Crosbie (mcrosbie@cup.hp.com)Date: 12/17/01
- Previous message: Chris Ess: "Re: Looking for Host Based IDS"
- In reply to: Greg Shipley: "Re: Looking for Host Based IDS"
- Next in thread: Matt.Carpenter@alticor.com: "RE: Looking for Host Based IDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Mark Crosbie <mcrosbie@cup.hp.com> To: Greg Shipley <gshipley@neohapsis.com> Date: 17 Dec 2001 14:16:36 -0800
On Mon, 2001-12-17 at 13:03, Greg Shipley wrote:
Ok, this time I'll reply to the list...
> But do either of these watch processes, which I believe was Guy's orignal
> question/requirement? I was under the impression that these are just log
They don't watch processes, only the (hopefully) logged outcome of the
process's actions.
I pointed Guy to HP IDS/9000 which does watch each process executing on
the system (actually it watches the system calls, but the analogy is
close enough). It can detect, for example, a process deleting the
password file or installing a rootkit. It can also detect the likely
outcome of buffer overflow attacks.
Disclaimer: I designed and wrote most of IDS/9000, so of course I'm
biased :-)
Cheers,
Mark.
> -Greg
>
-- Mark Crosbie IDS/9000 Product Architect http://www.hp.com/security/products/ids Hewlett-Packard MS 47 LA mcrosbie@cup.hp.com 19447 Pruneridge Avenue (408) 447-2308 Cupertino, CA 95014 (408) 447-6766 FAX
- Previous message: Chris Ess: "Re: Looking for Host Based IDS"
- In reply to: Greg Shipley: "Re: Looking for Host Based IDS"
- Next in thread: Matt.Carpenter@alticor.com: "RE: Looking for Host Based IDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
