One of the problems I see with all the new introductions is that the existing people on the list, who the new people would probably like to know about too, don't reintroduce themselves. Usually, introductions work both ways. Does anyone have an idea on how we might be able to handle this? Perhaps there's a list server command that already addresses this? On another topic, I just wanted to mention that the Distributed Intrusion Detection System (DIDS) Version 2 has now been completed and released. DIDS, as many of you know, is a heterogenous network monitoring tool designed to provide a visual trace, and audit level data, of suspicious users. version two incorporates new features like tagged objects so you can watch 'things' instead of 'users' Clearly, there's value in watching the cheese vs looking for the mice. DIDS is available to DOD customers for a song. I am the point of contact for questions. DIDS currently runs on a variety of different clients and the server itself is hosted on a Sun workstation. The network bandwidth penalty is less than 5% but as we all know, your mileage may vary. My re-introduction is that I'm the Chief of Countermeasures Development at the AF Information Warfare Center. DIDS is one, of many, responsibilities my team has. Essentially, we build countermeasures to stop crackers -- whether they are twinkie eaters or actual enemies. DIDS is one of our big ticket tools, but we have many other small tools that we build in house to counter the threats we see. We also work closely with the national investigative and intelligence communities to stay on top of the threat and to 'collect' new tools and techniques that can be used against us. Currently, the DIDS paradigm is detection based, but we've made the decision to become more 'prevention' based. Now, before the war starts -- this doesn't mean DIDS will take action all on its own. It means that we intend to define a series of behaviors as 'suggested' evil and provide the 'choice' to automatically prevent/terminate them (we won't quibble here on the list about real-time, network propogation delays, etc). As an example, becoming root when your not in the wheel group is a definite candidate for a configuration file entry -- if this happens, would you like us to kill the shell and then lockout the account? If yes, okay. If not, we'll faithfully record it. Our emphasis will be on trying to prevent the twinkie eaters from hurting our systems. In cases where real-time delays occur, my actual experience tracking hackers has convinced me that the approach I described above would frustrate their efforts to no end. How many other ID systems are out there that can support this type of environment? Do they all need to tweak the kernel <we don't as of this writing>, Sidewinder tweaks the kernel to enforce role based authentication mechanisms, which is similar, but not the same, as the paradigm we advocate. How do 'we' <this list> build an intrusion detection database that lets us compare the different products on the same general level? Essentially, we need sometype of maintained attackl database and then a protocol for evaluating the products. Without that, we teeter dangerously close to the snake oil problem (no, that's not a reference to Cliff's new book -- I just like that phrase). By the way, I noticied many new arrivals because of the concern/fear over SATAN and I thought I'd add my two cents here. First, if SATAN is that big a problem, then the hackers are doing us a favor because networks that fall to these attacks need to be secured before we allow any more traffic on them. Two, I wonder how many people realize that SATAN is an excellent tool for testing an intrusion detection system <leave the box unprotected and see wht your IDS can 'really' do>. SATAN is a double-edged sword, agreed, but given the poor state-of-the-art in this area, SATAN will help nudge us, perhaps with some kicking and screaming, forward. This is only my opinion, but it's based on actual experience tracking hackers and interviewing them after they're caught. An interesting counter problem here -- has anyone of the people complaining about SATAN done a shorev command on their boxes to see what, if any, security patches are installed? PS -- I realize this is prwaching to the choir for many of us -- I realize that and apologize in advance -- but I wanted to provide some grist for the discussions we all, inevitably, will have with others on this topic <there's strength in numbers>. Kevin Ziese, Capt, USAF 210-377-0477 (Voice) Chief, Countermeasures Development 210-377-1326 (Fax) AF Information Warfare Center 800-759-8888 (PIN 2927686) 1100 NW Loop 410, Suite #607 ziese@lorenz.csap.af.mil San Antonio, Texas 78213 Email is always preferred