Mike, Is there any on-line documentation available on the following? Since then, Steve Smaha at Haystack Labs has come out with a product called "Stalker" which does a *VERY* (IMHO) nice job of auditing a network of Sun workstations. A bit pricey, but a great deal of research has been put into it, so it's worth it if you can afford it. This is my pet project. On January 1st, stage one of UNICORN (Unicos Real-time NADIR) and KNADIR (Kerberos NADIR) will be finished and be in production here at LANL. UNICORN works with Unicos security audit records and does a good deal of Unix generic vulnerability testing. KNADIR works with a slightly modified Kerberos v4 audit record (we just made it a little more thorough). There is a newer project based on this here, but it's in it's first few months of development. The original W&S was bought on a tech transfer by one of the original authors. LANL has nothing to do with it anymore. Basically, W&S looks at a dataset and tries to generate meta-rules about the data. Then, when presented with new datasets, it applies these meta-rules to detect anomalies. Thanks Jim