Re: Win32 HIDS

From: oudot laurent (oudot.laurent@wanadoo.fr)
Date: 09/26/02 

Date: Thu, 26 Sep 2002 00:21:21 +0200
From: oudot laurent <oudot.laurent@wanadoo.fr>
To: David Ellis <dellis@unicam.com>

Snort for Win32 is not an HIDS
This is an NIDS launched on a win32 platform.

If you really need HIDS under Win32, you can use Prelude-IDS (http://www.prelude-ids.org) [GNU]

What to do ?

Take your Windows boxes, install a forwarder of their logs (i mean coming from their eventlog) in the
Unix syslog format (like nt-syslog) to a Unix accepting syslog alerts in remote (look at "syslogd -r"
in the man)
Then on the Unix box, install the composant called prelude-lml (Log Monitor Lakey) and tell him to
parse the collected logs
Some guys use it to parse logs coming from their windows (ex: on ... host, administrator
authentication error...)
You can specify what to create as an alert..
It's all free and opensource...
Take a look if you need something very powerfull.

my 2 cents,

laurent

David Ellis wrote:

> Snort for win32
> -----Original Message-----
> From: Chris Peden [mailto:cpeden@sundownerinteriors.com]
> Sent: Tuesday, September 17, 2002 4:45 PM
> To: Windows Security Issues
> Cc: focus-ids@securityfocus.com
> Subject: Win32 HIDS
>
> Does anyone know of any free or low cost HIDS for win32 platform?
>
> Thanks,
> Chris Peden, MCP
> Information Technology Director
> Sundowner Interiors
> 1110 CR6 West
> Elkhart, IN 46514
> P: 574-262-1523x117
> F: 574-264-0022
> cpeden@sundownertrailer.com
> www.sundownertrailer.com
> **************************************************************************************************
> The contents of this email and any attachments are confidential.
> It is intended for the named recipient(s) only.
> If you have received this email in error please notify the system manager or the
> sender immediately and do not disclose the contents to anyone or make copies.
>
> ** eSafe-portsmouth scanned this email for viruses, vandals and malicious content **
> **************************************************************************************************

Relevant Pages

  • Re: Win32 TSR program skeleton
    ... under windows a "comsole" is just a thing used for display. ... are not avaible to Win32 apps, and are not created for Win32 console ... I need to write a TSR that does some periodical checks over another ... You should say that I can simple pipe the output to my app, but, ...
    (microsoft.public.win32.programmer.kernel)
  • Re: I really do like OS X but . . .
    ... Win32 is just an environment, ... >Windows right now, would be from .NET or Java. ... >Microsoft took an excellent kernel like NT, ... Only Apple. ...
    (comp.sys.mac.advocacy)
  • Re: linux to windows porting help
    ... Presently i am working on win32 console applications. ... PostThreadMessage - for Message queue between process and its ... donn have any windows handle so unable to use these functions... ...
    (comp.programming)
  • Re: OT
    ... Für Windows Forms unter Windows ist das Verhalten aber naheliegend, da Windows Forms eben von Microsoft nur für Windows unterstützt werden und da eine Kapselung der Win32-Benutzerschnittstellen darstellen. ... Windos Forms is just a nice Frontend to Win32 but everything that worked in Win32 will work in WindowsForms too ... es darf nur die Framework-Doku ... das Framework sagt nichts in der Dokumentation ...
    (microsoft.public.de.german.entwickler.dotnet.csharp)
  • Re: As programmers...have we come a long way since 1993?
    ... If 'win64', as the main OS of PC users, ... is notably different in compatibility with old win32 software then ... the case Win64 should be largely tolerant of win32, ... > Look at Windows XP and Windows 2000, with that very scary DCOM exploit. ...
    (comp.programming)
Quantcast