Re: host-based ids evaluation
From: Gian Luca Valecchi (glvalecchi@hotmail.com)Date: 08/13/02
- Previous message: Coochey, Giles: "RE: IPSec and IDS"
- Maybe in reply to: gianluca valecchi: "host-based ids evaluation"
- Next in thread: williamwang: "Re: host-based ids evaluation"
- Next in thread: Andrew Plato: "Re: host-based ids evaluation"
- Reply: williamwang: "Re: host-based ids evaluation"
- Reply: Gianpiero Porchia: "R: host-based ids evaluation"
- Reply: Talisker: "Re: host-based ids evaluation"
- Reply: Gianpiero Porchia: "R: host-based ids evaluation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Gian Luca Valecchi" <glvalecchi@hotmail.com> To: "Andrew Plato" <aplato@anitian.com>, <focus-ids@securityfocus.com> Date: Tue, 13 Aug 2002 17:04:38 +0200
Hi Andrew,
thank you for your suggestions.
My boss ordered me to produce a doc in which I've to evaluate ISS RealSecure
ServerSensor (Hybrid ids) focusing on host-based "component".
I'll try the tools you advised to me.
My idea is to install a Server Sensor also on the attacker host, to see if
the ids notifies me the malicious attempts starting from a "protected"
machine.
Which websites are the best ones where I can find tools other from those you
mentioned to me ?
thank you again,
Gianluca
----- Original Message -----
From: "Andrew Plato" <aplato@anitian.com>
To: <glvalecchi@hotmail.com>; <focus-ids@securityfocus.com>
Sent: Tuesday, August 13, 2002 2:18 AM
Subject: Re: host-based ids evaluation
>HI all,
>I'm an IDS newbie, I've to evaluate some host-based IDS products.
>I need some advice about how to setup a fisible testbed.
What HIDS are you evaluating...out of curiosity? There are not very many out
there.
>I would reproduce some attacks from an attacker machine towards two victim
>machines (winnt and solaris) on which I've to install ids sensors:
>I need some pointers to find some attack/evaluation tools to exec towards
>the victim machine inside my testbed.
As for attack tools, there are so many we could spend all day. But a good
open-source tool is Nessus. It can run tons of scans against a machine and
make most IDS's light up like a Christmas tree. Another swell tool is Retina
from eEye Digital. You can download a free-eval copy to bang away at your
HIDS and watch them go.
These are intended as vulnerability scanners, I should note. But any decent
IDS should pick up their scans as events.
>I also know something about IDSwakeup/snot/stick tools; but AFAIK they're
>for network ids evaluation.
>Is there something out there (similar to it) for host-based ids ?
>it could be very useful to me if you would point me the right way.
All of these tools will work on a HIDS. Just configure their scans to be
pointed specifically at the system where the HIDS is running.
------------------------------------
Andrew Plato, CISSP
President / Principal Consultant
Anitian Corporation
(503) 644-5656 office
(503) 201-0821 cell
http://www.anitian.com
------------------------------------
- Previous message: Coochey, Giles: "RE: IPSec and IDS"
- Maybe in reply to: gianluca valecchi: "host-based ids evaluation"
- Next in thread: williamwang: "Re: host-based ids evaluation"
- Next in thread: Andrew Plato: "Re: host-based ids evaluation"
- Reply: williamwang: "Re: host-based ids evaluation"
- Reply: Gianpiero Porchia: "R: host-based ids evaluation"
- Reply: Talisker: "Re: host-based ids evaluation"
- Reply: Gianpiero Porchia: "R: host-based ids evaluation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
