Intrusion Detection Server
From: Dale.Drew@Level3.comDate: 06/27/02
- Previous message: Ian Peters: "RE: re[2]: Gateway IDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Dale.Drew@Level3.com To: focus-ids@securityfocus.com Date: Thu, 27 Jun 2002 10:20:26 -0600
I've recently released several security toolsets. One of those tools, APE
(Anomaly Policy Engine), might be of interest to this list.
APE is a lightweight, but sophisticated, Policy Engine that can be
used to monitor log files from a central location. It is intended as
a replacement for a commercial solution for small enterprises, ISP
networks or large home networks. :)
APE is currently used in several business and home environments.
One such environment, analyzing over 10 million log messages a day.
APE Supports:
- Timers and Counters
If you see 5 X in 6 minutes
- Actions
If you see 5 X in 6 minutes, then do A, B and C
- Multiple patterns for a policy rule
If you see 5 ((X and Y) or Z))
- Multiple dependant policies
If you see 5 X in 6 minutes then do A and B, then look for Z and
perform C and D and E
- Actions
APE supports multiple actions when a policy is triggered, and it's
easy to add your own logic. Actions include;
EMAIL - with special logic for subject and body text
PAGE - send a text page
LOG - save policy and/or raw data to a log file
FINGER - finger the host (source and/or destination) of the attack
RESETCOUNTER - Reset the timer and count timers for the policy
- Correlation
Since APE policy engine is variable-based, you can create
correlation rules. This allows you to create multiple rulesets for the same
raw anomaly message. For example;
-If you see 5 "su root" failures from system X in 6 minutes...
-If you see 10 "su root" failures from any system in 15 minutes...
-If you see 15 "su" failures for any user on system X in 10
minutes...
-If you see 20 "su" failures for any on all systems in 15 minutes...
This adds a significant amount of flexibility and power in trying to reduce
false positives, especially if you are dealing with a significant amount of
log data.
- Summary Logging
APE also provides a function called Summary logging which can be
used to save the minimum amount of data for triggered policies.
APE is available at http://www.hackertracker.org/cst/cst.html. You may also
want to check out Logmon - used to send log files from remote systems to a
centralized collector.
dale
- Previous message: Ian Peters: "RE: re[2]: Gateway IDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
