Re: The intrusion detection report from TIS
Michael Neuman (mcn@truchas.lanl.gov)
Fri, 5 Aug 1994 11:32:49 -0600
> From paul@hawksbill.sprintmrn.com Fri Aug 5 11:23:02 1994
> > Since then, Steve Smaha at Haystack Labs has come out with a product called
> > "Stalker" which does a *VERY* (IMHO) nice job of auditing a network of
> > Sun workstations. A bit pricey, but a great deal of research has been put
> > into it, so it's worth it if you can afford it.
> When you say "audit," I'm assuming that you mean the same type of auditing
> the Tiger Scripts perform. Or perhaps, something more akin to Tripwire?
>
> What makes "Stalker" superior (my assumption, according to your emphasis)
> to any other product (say, for example, Tamu Tiger Scripts)?
They're completely different. Stalker goes through the audit records
generated by the Sun BSM. His system then tries to identify anomalies and
compare activity to the dozens of attack signatures he has. It's a pretty
snazzy system. :-) What makes it unique is really the attack signatures.
He's collected far more than any other product I've seen. Stalker also
has a pretty nice GUI for generating reports and querying the database
it collects.
I don't have the files with his product information and contact methods,
but I do know you can reach him through email at:
smaha@dockmaster.ncsc.mil, and his coordinator phone number (from the
NIC's whois database) is 512-343-2552. That may be his home phone number, so
be gentle. :-)
-Mike