RE: Host Based IDS Recommendations?

From: Alvin Wong (alvin.wong_at_b2b.com.my)
Date: 10/16/03

  • Next message: Morse, Greg: "RE: ICMP Ping Sweep Detection"
    To: Milind Nanal <milindyn@rolta.com>
    Date: 16 Oct 2003 10:03:19 +0800
    
    

    Hi Milind,

    Thanks for the recommendation for Windows HIDS.
    AIDE is a similar-esque HIDS to Tripwire but works on Unix servers. The
    Unix Tripwire version is commercial and you have to pay in order to use
    it but as a freeware, AIDE works fine.
    As per the recommendations of some in this thread, you can have a look
    at osiris, http://osiris.shmoo.com
    I am still in the process of getting it to work for me but with some
    tweaking and time to do the tweaking, it should be working fine.:>

    You can also try samhain, http://la-samhna.de/samhain/
    I haven't tried it but you should have a look.

    Regards,
    Alvin

    On Wed, 2003-10-15 at 21:39, Milind Nanal wrote:
    > Try
    > Secuplat HIDS for NT. It have server agent based features. Link is as below.
    >
    >
    > http://www.inzen.com/eng/products/HIDS/EP_HIDS_01.asp
    >
    > I would like to know Unix AIDE which you are talking about. It is server
    > agent based HIDs?
    >
    > I am looking for Linux based HIDs which should be more advance than
    > tripwire. Tripware is just doing file level auditing am looking for some
    > feature (on linux box) similar to Secuplat HIDS for NT.the central server
    > should collect all attack, file change auditing data, User security breaking
    > data for all my linux box. Just simple agent should be installed on my
    > linux box to send the attack data to central server. some thing similar to
    > Snare HIDs.
    >
    > http://www.intersectalliance.com/projects/Snare/index.html
    >
    > Your feed back on this is appreciated.
    >
    > Regards,
    >
    > Milind
    >
    >
    > -----Original Message-----
    > From: Simon Gray [mailto:simong@desktop-guardian.com]
    > Sent: Monday, October 13, 2003 7:44 PM
    > To: Alvin Wong; focus-ids@securityfocus.com
    > Subject: Re: Host Based IDS Recommendations?
    >
    >
    > > I would like to find out for Windows boxes if there are any
    > > recommendations for Host based IDS, i know that for unix there is AIDE,
    > > linux, tripwire. What are the solutions for Windows machines? Would
    > > running a software IDS that is capable of monitoring and protecting the
    > > file systems a la tripwire with signed hashes kept in removable media be
    > > sufficient? If there are, what are the usual suspects for host based IDS
    > > that is used prevalently in industry? I'm hoping for both free and
    > > commercial solutions
    >
    >
    > Theres a company called Trustcorps whom provide a commercial solution to
    > what i believe you're looking for:
    >
    > http://www.trustcorps.com/
    >
    > "Intrusion Prevention technology such as TRUSHIELD™ is designed to not only
    > detect activities on the server that could damage data or that are
    > unauthorised activities, but stops them dead in their tracks. Where
    > Intrusion detection stops, IPS takes over, to ensure that critical systems
    > are as highly protected as possible from the threats of known and unknown
    > security attacks."
    >
    >
    > ---------------------------------------------------------------------------
    > Captus Networks IPS 4000
    > Intrusion Prevention and Traffic Shaping Technology to:
    > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
    > - Automatically Control P2P, IM and Spam Traffic
    > - Precisely Define and Implement Network Security & Performance Policies
    > FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    > http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
    > ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    FREE Whitepaper: Better Management for Network Security

    Looking for a better way to manage your IP security?
    Learn how Solsoft can help you:
    - Ensure robust IP security through policy-based management
    - Make firewall, VPN, and NAT rules interoperable across heterogeneous
    networks
    - Quickly respond to network events from a central console

    Download our FREE whitepaper at:
    http://www.securityfocus.com/sponsor/Solsoft_focus-ids_031015
    ---------------------------------------------------------------------------


  • Next message: Morse, Greg: "RE: ICMP Ping Sweep Detection"

    Relevant Pages

    • RE: Host Based IDS Recommendations?
      ... Secuplat HIDS for NT. ... It have server agent based features. ... should collect all attack, file change auditing data, User security breaking ... Better Management for Network Security ...
      (Focus-IDS)
    • RE: Real world experience with HIDS
      ... I work with a very large installation of ISS RSS 7.0 on UNIX & ... We currently have 200+ RSS/HIDS Agents on UNIX + Windows platforms, ... Real world experience with HIDS ...
      (Focus-IDS)
    • RE: tripwire config
      ... has tampered with your files, say if your server is a web server, a file ... I also don't quite understand what tripwire has to do with those billions of ... |the tripwire binaries or database so that rootkits, ... |box will alert the attacker to be extra cautious. ...
      (Security-Basics)
    • tripwire config
      ... A few questions about configuring Tripwire ... the tripwire binaries or database so that rootkits, ... Install/configure OS and server apps on the box. ...
      (Security-Basics)
    • Re: tripwire log checking
      ... Hacker, when login to the server, will most likely modify current file syslog file, which is constantly growing. ... I am not sure tripwire can detect changes in this case. ... This criteria is used to verify that logs have not been modified. ...
      (Security-Basics)