I have some knowledge of SRI's NIDES product. It generates for you, profiles of normal behavior so that you can monitor real-time or long term for deviation from normal behavior. (Note, deviation from normal behavior is not always and intrusion or abusive, just not the normal behavior for the subject.) It supports an expert system with a rulebase editor that allows you to define specific intrusion scenarios (i.e. the specific "no-no's"). The ES capability monitors enforcement of your specific site security policy. JT ======================================================================== Some of the people who will speak at the one day SRI presentation have a lot of first hand experience with intrusion detection. I talked my boss into attending, because we are essentially clueless in this area, even though we met a couple of the people who will speak. Hog Farmer