Re: IDS for HP-UX
From: mht@clark.netDate: 01/11/02
- Previous message: Mark Crosbie: "Re: IDS for HP-UX"
- In reply to: Mark Crosbie: "Re: IDS for HP-UX"
- Next in thread: Allovair Entellon: "Re: IDS for HP-UX"
- Next in thread: Allovair Entellon: "Re: IDS for HP-UX"
- Reply: Allovair Entellon: "Re: IDS for HP-UX"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 11 Jan 2002 11:08:20 -0800 To: Mark Crosbie <mcrosbie@cup.hp.com> From: mht@clark.net
At 11:03 AM 1/11/2002 -0800, Mark Crosbie wrote:
On Fri, 2002-01-11 at 10:22, mht@clark.net wrote:
> It looked like a lot more than a fancy UI running swatch underneath it. It
> appears that it interoperates with the HP-UX a lot stronger than
> configuring swatch. ??
>> My comments were back to the previous poster. I worded my reply wrong,
what I meant was that it looked a bit more fancy than just a fancy UI with
swatch underneath..
The marketing fluff is a little bit lacking in the technical depth but
compared to some product in other spaces, it isn't that bad overall and a
lot easier to navigate through than some other products in the software
testing space.. ;)
/m
Ouch! That hurt! Yes, it is a lot more complex that just running swatch
on a logfile.
It uses system call audit data derived from a special audit subsystem in
the HPUX kernel (NOT the standard C2 audit system). The system call
header information and arguments are gathered and analyzed in near
real-time by our product to determine if a vulnerability exploit
occured.
Notice I say "near real-time": it does not use any hard real-time
features of HPUX. Also I said "vulnerability exploit", not attack. The
product detects the building-blocks of attacks, not the latest
attack-du-jour from Bugtraq.
While swatch is an excellent tool (I use it myself) you can't use it to
analyze data that doesn't exist. No log file (that I know of on UNIX) is
going to tell you that process id 12345 modified /etc/passwd by system
call truncate() using the program /bin/vi with arguments "/bin/vi
passwd" running as user 405 on tty 3. That's what IDS/9000 can do.
So while on the surface it would appear that IDS/9000 looks like a fancy
GUI over swatch, as you dig deeper into what the product does you may
realize that it is a lot more powerful.
If you don't realize this then we have done a poor job of documenting
IDS/9000. Let me know if we need to beef up our outrageous marketing
claims :-)
Regards,
Mark.
> /m
>
> At 08:55 AM 1/11/2002 -0800, Allovair Entellon wrote:
> >I've looked at this in the past. Our conclusion was
> >that calling it a Host-based intrusion detection
> >system was unfair, given how the product operated.
> >You could duplicate 95% of the functionality with
> >swatch and a good config file.
>
-- Mark Crosbie IDS/9000 Product Architect http://www.hp.com/security/products/ids Hewlett-Packard MS 47 LA mcrosbie@cup.hp.com 19447 Pruneridge Avenue (408) 447-2308 Cupertino, CA 95014 (408) 447-6766 FAX
- Previous message: Mark Crosbie: "Re: IDS for HP-UX"
- In reply to: Mark Crosbie: "Re: IDS for HP-UX"
- Next in thread: Allovair Entellon: "Re: IDS for HP-UX"
- Next in thread: Allovair Entellon: "Re: IDS for HP-UX"
- Reply: Allovair Entellon: "Re: IDS for HP-UX"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
