Re: IDS for HP-UX
From: Mark Crosbie (mcrosbie@cup.hp.com)Date: 01/12/02
- Previous message: Allovair Entellon: "Re: IDS for HP-UX"
- In reply to: Allovair Entellon: "Re: IDS for HP-UX"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Mark Crosbie <mcrosbie@cup.hp.com> To: Allovair Entellon <allovair@yahoo.com> Date: 11 Jan 2002 15:22:37 -0800
On Fri, 2002-01-11 at 10:43, Allovair Entellon wrote:
> We had hoped so as well, but appearances seemed to be
> deceiving... If it doesn't show up in a parseable log
> file, it doesn't get detected. Look here in the white
> paper:
Hmm, maybe our whitepaper mis-represents the product's design. I think
the item #1 in the list below points to the in-kernel data source that
is unique to IDS/9000.
More details on the audit system and what it does can be found in our
paper submitted to last year's RAID conference:
http://www.raid-symposium.org/raid2001/program.html
We're the first bullet entry: "A Building Block Approach to Intrusion
Detection".
The other two items refer to log files which as you point out, can be
handled just as easily with swatch or any other log watcher tool.
Hope this clarifies things.
Regards,
Mark.
> Data sources monitored by the IDS/9000 on the host
> include:
>
> 1. Kernel audit data that is generated by a trusted
> component of the operating system. It includes
> analyzing system calls including parameters and
> outcomes.
> 2. System log files are monitored because they
> contain data on login/logout, commands executed by
> users; reports from network service daemons and
> records of HTTP and FTP file transfers.
> 3. Database server or other application server logs
> are analyzed for their data on activity. This enables
> detection of well-known attacks.
>
> --- mht@clark.net wrote:
> > It looked like a lot more than a fancy UI running
> > swatch underneath it. It
> > appears that it interoperates with the HP-UX a lot
> > stronger than
> > configuring swatch. ??
> >
> > /m
> >
> > At 08:55 AM 1/11/2002 -0800, Allovair Entellon
> > wrote:
> > >I've looked at this in the past. Our conclusion
> > was
> > >that calling it a Host-based intrusion detection
> > >system was unfair, given how the product operated.
> > >You could duplicate 95% of the functionality with
> > >swatch and a good config file.
> >
>
>
> __________________________________________________
> Do You Yahoo!?
> Send FREE video emails in Yahoo! Mail!
> http://promo.yahoo.com/videomail/
>
-- Mark Crosbie IDS/9000 Product Architect http://www.hp.com/security/products/ids Hewlett-Packard MS 47 LA mcrosbie@cup.hp.com 19447 Pruneridge Avenue (408) 447-2308 Cupertino, CA 95014 (408) 447-6766 FAX
- Previous message: Allovair Entellon: "Re: IDS for HP-UX"
- In reply to: Allovair Entellon: "Re: IDS for HP-UX"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
