RE: host-based ids evaluation

From: Rob Shein (shoten@starpower.net)
Date: 08/15/02 

From: "Rob Shein" <shoten@starpower.net>
To: "'gianluca valecchi'" <glvalecchi@hotmail.com>, <focus-ids@securityfocus.com>
Date: Thu, 15 Aug 2002 07:38:42 -0400

I saw from another posting that you will be testing the ISS Host Sensor.
As this is (as you pointed out) a hybrid, it does both HIDS and NIDS
functions. As I understand it, the HIDS feature detects successful
attacks (changes to files, sudden failures of services, etc), while the
NIDS will detect hostile (successful or not) activity that is directed
at the host itself. The first thing I would do is ask myself what sorts
of attacks are most critical in my environment. There are more attacks
than you could ever possibly hope to test, and vulneraibility scanners
like Nessus will only go so far with respect to actually attacking a
box. If you're really serious about seeing what the HIDS functionality
will/won't pick up, you're going to have to run exploits against your
test machines and truly hack them. (Un)fortunately, this will be
trivial if you have not patched them; just look for exploits on the
PacketStorm site, or any number of other places.

The NIDS functionality, on the other hand, will be well-tested indeed
with Nessus, as the NIDS component doesn't require that attacks actually
succeed in compomising the box to set off an alert.

-----Original Message-----
From: gianluca valecchi [mailto:glvalecchi@hotmail.com]
Sent: Friday, August 09, 2002 8:02 AM
To: focus-ids@securityfocus.com
Subject: host-based ids evaluation

HI all,
I'm an IDS newbie, I've to evaluate some host-based IDS products. I need
some advice about how to setup a fisible testbed.

I would reproduce some attacks from an attacker machine towards two
victim
machines (winnt and solaris) on which I've to install ids sensors: I
need some pointers to find some attack/evaluation tools to exec towards
the victim machine inside my testbed.

I also know something about IDSwakeup/snot/stick tools; but AFAIK
they're
for network ids evaluation.
Is there something out there (similar to it) for host-based ids ? it
could be very useful to me if you would point me the right way. thank
you in advance, Gianluca

_________________________________________________________________
Specisci e ricevi le tue email Hotmail dal tuo cellulare con:
http://mobile.msn.it

Relevant Pages

  • Re: host-based ids evaluation
    ... >I'm an IDS newbie, I've to evaluate some host-based IDS products. ... >I would reproduce some attacks from an attacker machine towards two victim ... All of these tools will work on a HIDS. ...
    (Focus-IDS)
  • Re: Is a Windows 98se computer more, or less, of a security threat with IE 5.5 (unused) & Firefo
    ... from drive-by attacks its a closer ... hardware solution where the updates get applied rather than our local ... So far i've been able to keep most of the old machines running myself. ... do this just because of a security risk alone is difficult. ...
    (microsoft.public.windowsupdate)
  • Re: Tracking down hi-tech crime
    ... Technology Correspondent, BBC News website ... regularly logging how many potential net-borne attacks hit the average ... programs able to recognise when they have trespassed on a honeypot. ... they search for fresh victims and make host machines unstable. ...
    (uk.legal)
  • Tracking down hi-tech crime
    ... Technology Correspondent, BBC News website ... regularly logging how many potential net-borne attacks hit the average ... programs able to recognise when they have trespassed on a honeypot. ... they search for fresh victims and make host machines unstable. ...
    (uk.legal)
  • Re: Is a Windows 98se computer more, or less, of a security threat with IE 5.5 (unused) & Firefo
    ... from drive-by attacks its a closer ... and i'm aware that Win98 doesn't have real security like NT ... It's not only MS that "no longer supports" Win9x; ... So far i've been able to keep most of the old machines running myself. ...
    (microsoft.public.windowsupdate)