Re: IDS for HP-UX

From: Mark Crosbie (mcrosbie@cup.hp.com)
Date: 01/11/02 

From: Mark Crosbie <mcrosbie@cup.hp.com>
To: mht@clark.net
Date: 11 Jan 2002 10:33:35 -0800

On Thu, 2002-01-10 at 10:06, mht@clark.net wrote:
> Has anyone looked at or evaluated..
>
> http://www.hp.com/security/products/ids/
>
> More host-based/file integrity than Intrusion Detectionish..

Actually it *doesn't* do file-integtrity a la Tripwire. It monitors
system calls from the kernel so if you attempt to change files or
directories (in any way) it will generate an alert and also fire off a
response script to allow you to recover from the change (think restoring
/bin to clean up after a rootkit installation in real-time).

As for "intrusion detectionishy" stuff we have templates that detect
unusual privilege escalations and attempted race condition exploits. The
privilege escalation template is unfortunately named "Buffer Overflow
detection" (thank you marketing :-)

But if you think about it, what most attackers do after they break in is
they created a backdoor account, a setuid root backdoor, install a
trojan rootkit or clean up logs. All of these involve modifying files so
by detecting file and directory changes in real time you can watch an
attacker as they worm their way into your system.

Enough from me, I'm almost begining to sound like marketing now...

If you're interested in finding out more drop me a mail, or download the
product from http://software.hp.com (product number J5083AA). It's free
(as in beer).

Regards,
Mark.
 
> Thoughts, comments, critiques..
> 

-- 
Mark Crosbie            IDS/9000 Product Architect
http://www.hp.com/security/products/ids
Hewlett-Packard MS 47 LA        mcrosbie@cup.hp.com
19447 Pruneridge Avenue         (408) 447-2308
Cupertino, CA 95014             (408) 447-6766 FAX