Re: host-based ids evaluation

From: Andrew Plato (aplato@anitian.com)
Date: 08/13/02

• Previous message: Gian Luca Valecchi: "Re: host-based ids evaluation"
• Maybe in reply to: gianluca valecchi: "host-based ids evaluation"
• Next in thread: Shripal Meghani: "RE: host-based ids evaluation"
• Reply: Shripal Meghani: "RE: host-based ids evaluation"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Mon, 12 Aug 2002 17:18:41 -0700
From: "Andrew Plato" <aplato@anitian.com>
To: <glvalecchi@hotmail.com>, <focus-ids@securityfocus.com>

>HI all,
>I'm an IDS newbie, I've to evaluate some host-based IDS products.
>I need some advice about how to setup a fisible testbed.

What HIDS are you evaluating...out of curiosity? There are not very many out there.

>I would reproduce some attacks from an attacker machine towards two victim
>machines (winnt and solaris) on which I've to install ids sensors:
>I need some pointers to find some attack/evaluation tools to exec towards
>the victim machine inside my testbed.

As for attack tools, there are so many we could spend all day. But a good open-source tool is Nessus. It can run tons of scans against a machine and make most IDS's light up like a Christmas tree. Another swell tool is Retina from eEye Digital. You can download a free-eval copy to bang away at your HIDS and watch them go.

These are intended as vulnerability scanners, I should note. But any decent IDS should pick up their scans as events.

>I also know something about IDSwakeup/snot/stick tools; but AFAIK they're
>for network ids evaluation.
>Is there something out there (similar to it) for host-based ids ?
>it could be very useful to me if you would point me the right way.

All of these tools will work on a HIDS. Just configure their scans to be pointed specifically at the system where the HIDS is running.

------------------------------------
Andrew Plato, CISSP
President / Principal Consultant
Anitian Corporation

(503) 644-5656 office
(503) 201-0821 cell
http://www.anitian.com
------------------------------------

---

• Previous message: Gian Luca Valecchi: "Re: host-based ids evaluation"
• Maybe in reply to: gianluca valecchi: "host-based ids evaluation"
• Next in thread: Shripal Meghani: "RE: host-based ids evaluation"
• Reply: Shripal Meghani: "RE: host-based ids evaluation"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: host-based ids evaluation ... I agree with Toby's opinion on IDS terminology. ... these are sometimes referred to as "Network Node IDS". ... -> Logfile surveillance (classic HIDS) ... prevent most attacks from being performed if the target application does not ... (Focus-IDS) R: host-based ids evaluation ... in industry not exist a clear definition of HIDS. ... its pros and cons against an NIDS. ... watching for remote-to-local attacks. ... HIDS behaviour is named NNIDS. ... (Focus-IDS) Re: host-based ids evaluation ... noting that there is rarely any correlation between events generated by NIDS ... HIDS can also be very noisy, ... NIDS.....An exception could be an Inline IDS which stops the attacks getting ... > and NIDS will monitor the network activity under that (or above if I ... (Focus-IDS) Re: host-based ids evaluation ... That is why NIDS is proactive, it will log the network traffic patterns ... As for NIDS and HIDS they work differently, ... >>>different types of IDS. ... (Focus-IDS) RE: host-based ids evaluation ... Host based IDS evaluation should cover several areas: ... Host Based IDS are primarily concerned for watching out ... I am not aware of any tools which can help you to evaluate the HIDS for the ... how the NIDS and HIDS together help to detect attacks. ... (Focus-IDS)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > focus-ids  > 2002-08