From: Chris Petersen (
Date: 12/02/04

  • Next message: Michael Rash: "psad-1.4.0 release"
    To: "'Youngquist, Jason R.'" <>, "'Focus IDS List'" <>
    Date: Thu, 2 Dec 2004 08:33:42 -0700

    ***** VENDOR RESPONSE ******

    As some of the responses to your post mentioned, you might consider
    using a Security Event Management product combined with open-source
    tools to meet your end needs. I can't speak to other SIM/SEMS
    capabilities but with our product (LogRhythm) you could:

    - Use open source Snort on Linux for NIDS. SEM Agent can forward logs
    encrypted or forward to SEM Syslog server
    - Use SEM agents to collect logs from servers
    - Use SEM agent to collect logs written to flat file
    - Use SEM agent to remotely pull Windows Event Logs
    - Use SEM agent to perform file integrity and system monitoring
    - Forward logs from syslog and snmp reporting devices (e.g., routers,
    switches, firewalls) to SEM Syslog/SNMP server

    Most SEM's have some or all of the above capabilities. Where many of
    them differ is in how they manage the logs. Many SEM's don't do much
    with the raw log data other than determine if it is an event or not. In
    many cases if its not an event, the log is thrown away. We have taken a
    different approach in that we have seperated log management from event
    identification/management. Logs are stored at one level, analyzed, and
    if matching a rule, forwarded as an event. The advantage of this
    approach is that you maintain all log data for analysis purposes but
    only high-risk logs (as determined by the user) are forwarded as events.
    Our customers have found this architecture extremely useful since it
    allows them to "turn up" their IDS sensors since they can filter the
    alarms at the log management level and only forward high value alarms as
    events. This way they are able to collect all the noisy,
    high-false-positive and/or forensic alarms without inundating the event
    manager with too much noise. If they need to investigate something, they
    can pull other non-forwarded IDS alarms (and other non-forwarded logs)
    from the log management layer.

    I think the bottom line is that if you are looking at performing network
    monitoring across NIDS, HIDS, and logs, you might want to start at the
    center (the SEM) and move outward (the collectors). Imo, NIDS/HIDS/Logs
    are most valuable when they can be effectively and timely monitored and
    analyzed. Having spent the last two years building a SEM this is not
    something to take lightly in putting together yourself via a Syslog
    server and MySQL. The process of collecting, parsing, and normalizing
    logs from devices reporting in non-standard formats into a usable
    report/monitoring format and then developing the monitoring/reporting
    tools is not trivial, you can probably count on 1 person, full time for
    the next 12 months for engineering alone.

    I think by beginning with the SEM you might be able to combine your
    existing investment in security technologies with open-source to have a
    more effective and less expensive end solution.

    Chris Petersen
    President/CTO, Security Conscious, Inc.

    -----Original Message-----
    From: Youngquist, Jason R. []
    Sent: Monday, November 29, 2004 1:49 PM
    To: Focus IDS List
    Subject: NIDS and HIDS

    I just recently started a new job as a network security analyst and one
    of my projects is to implement an intrusion detection system. I've been
    doing some research and pursuing the listserv archives and was wondering
    if anyone had any thoughts/opinions.

    For NIDS's, I've been looking at SourceFire's commercialized version of
    Snort, CISCO's IDS appliances, and McAffee's IntruShield.

    For HIDS's, there appears to be three main categories: monitoring the
    host's file system, the host's network connections, and the host's log
    files. --Host's file system: I'm looking at Tripwire Manager, Tripwire
    for Servers, and Tripwire for Network Devices.

    --Host's network connections: I'm looking for an enterprise-wide
    solution that we can roll out to all the Windows XP machines and
    centrally manage. Since we already use Symantec for anti-virus,
    Symantec's Client Security 2.0 seems to incorporate a centrally managed
    personal firewall, HIDS, and anti-virus capability.

    --Host's log files: I'm looking at implementing a centralized
    syslog/syslog-ng server on a Linux box and having all Windows XP boxes
    and network devices log to it. I'd also stick the data into a MySQL
    database to allow for easy querying.

    I'd like to have an analysis program that would take data from the NIDS,
    HIDS, syslog, and tripwire logs, put it all together, and be able to
    give me some useful charts and graphical summaries so management can see
    that their money was well spent in securing the organization's

    Jason Youngquist


    Test Your IDS
    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from 
    Go to
    to learn more.
    Test Your IDS
    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from 
    Go to 
    to learn more.

  • Next message: Michael Rash: "psad-1.4.0 release"