> From paul@hawksbill.sprintmrn.com Fri Aug 5 11:23:02 1994 > > Since then, Steve Smaha at Haystack Labs has come out with a product called > > "Stalker" which does a *VERY* (IMHO) nice job of auditing a network of > > Sun workstations. A bit pricey, but a great deal of research has been put > > into it, so it's worth it if you can afford it. > When you say "audit," I'm assuming that you mean the same type of auditing > the Tiger Scripts perform. Or perhaps, something more akin to Tripwire? > > What makes "Stalker" superior (my assumption, according to your emphasis) > to any other product (say, for example, Tamu Tiger Scripts)? They're completely different. Stalker goes through the audit records generated by the Sun BSM. His system then tries to identify anomalies and compare activity to the dozens of attack signatures he has. It's a pretty snazzy system. :-) What makes it unique is really the attack signatures. He's collected far more than any other product I've seen. Stalker also has a pretty nice GUI for generating reports and querying the database it collects. I don't have the files with his product information and contact methods, but I do know you can reach him through email at: smaha@dockmaster.ncsc.mil, and his coordinator phone number (from the NIC's whois database) is 512-343-2552. That may be his home phone number, so be gentle. :-) -Mike