Re: HIDS for logon authentication
harald_at_deppeler.org
Date: 05/22/04
- Previous message: Skip Carter: "Re: HIDS for logon authentication"
- In reply to: Joe Dauncey: "HIDS for logon authentication"
- Next in thread: Sam Stover: "Re: HIDS for logon authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 22 May 2004 10:34:12 +0200 To: focus-ids@securityfocus.com
Hi
I'm actually in the process of trying to implement a host-based IDS
that can monitor and alarm on remote logons on Solaris 8 (and other
operating systems). Basically, it imposes a second login for remote
ptys.
It's still beta but it seems to work ... ;-)
Have a look at http://sid.sourceforge.net/
Cheers - Harry
On Fri, May 21, 2004 at 01:28:36PM +0100, Joe Dauncey wrote:
> Hi,
>
> I am looking for a Host-Based IDS that can monitor and alarm on remote logons on Solaris 8.
>
> I've looked at both ISS Server Sensor and Cisco Security Agent, but it currently seems that in order to look at people logging onto the system remotely via SSH I will have to design custom signatures/monitors that will read syslog output from SSH. In the case of ISS Server Sensor, it will only capture logons via the Trusted Computing Base (TCB) but since we use SSH as an add-on, it's not included. We'd have to force users to use telnet in order to capture the logons (not an option!). CSA is similar - it requires something custom to act on the syslog.
>
> If this was all I wanted to do than I would probably looking at something like secure syslog, or a similar log-parsing tool, but we really want the other HIDS functionality as well, and I am keen to avoid having to write custom scripts.
>
> The primary requirement is to be able to create alarms based on people logging onto the system, and failing to logon. However, we still want some other HIDS functionality.
>
> I was taking it for granted that most HIDS would be able to detect and alarm on logons, but it seems I was wrong :-(
>
> Any feedback would be greatly appreciated.
>
> Thanks,
> Joe
> --
>
> Joe Dauncey
>
> ---------------------------------------------------------------------------
>
> ---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Skip Carter: "Re: HIDS for logon authentication"
- In reply to: Joe Dauncey: "HIDS for logon authentication"
- Next in thread: Sam Stover: "Re: HIDS for logon authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
