Stalker (was: prfile)

Gene Spafford (spaf@cs.purdue.edu)
Sat, 19 Aug 1995 10:38:01 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Gene Spafford: "scan detection (was: prfile)"
Previous message: Robert Owen Thomas: "Re: Wanted - Intrusion Detection System for a client"
In reply to: Martin Hargreaves: "Re: prfile"
Next in thread: Gene Spafford: "scan detection (was: prfile)"

> >For instance, Haystack Labs has a really nice ids
> >product called stalker which installs on Sun's and HP's, but not SGI's.
> >More disturbing was a comment I got from a developer there. He said
> >(and I am summerizing) that they have no plans to port to SGI's because
> >most SGI customers only buy the Unix systems for the graphics capability
> >and are not willing to take the performance hit. 
> 
> Maybe they've never seen a Challenge? Some supercomputer centers are going
> to move entirely to Challenge and PowerChallenge arrays due to cost reasons
> I've heard. I think they are taking a very short sighted view.
> 
> >This is unfortunate because
> >I was quite impressed with their Stalker product.
> 
> Any more details on it? What exactly does it do?

>From what I know, there are only two current commercial IDS available
on the market.  Both use forms of audit trail reduction, but use 
different mechanisms internally to do the analysis.  The two are
Stalker from Haystack Labs, and CMDS from SAIC.

Of the two, I've heard better things about Stalker from people in the
government who have evaluated both.  I have no direct experience with
either (yet).

If I recall correctly, Stalker does not need to run on SGIs directly
-- you can run it on a Sun workstation and feed it the SGI audit
trail.  In some cases, this may be the preferred mode of operation as
you sometimes don't want your IDS running on a machine you are
monitoring.

You can get full details on the system by contacting <smaha@sli.com>.
They have some literature they can send out.  Unfortunately, there is
no ftp or www info site for them.  (The SAIC product is described at
<http://www.saic.com/products/cmds/>).

One reason Stalker may not yet be supported on SGI machines is that
Haystack is a small company, and Stalker is a new product.  They are
undoubtedly producing it first for the machines most commonly used in
government and industries like financial services -- likely customers.
SGI machines are not (yet, if ever) common in those environments, so I
doubt they are a high priority.  I'm pretty sure as time goes on, if
it appears that security-conscious firms are interested in buying SGI
equipment and paying for security, then more such tools will be
available for them.

The above is purely my opinion, shaped in part by hearing several
presentations by Steve Smaha at various security research meetings,
and reading some of their literature.  Parts of it may well be wrong.
I'm cc'ing Steve directly so he can correct or amplify my remarks.

--spaf

Next message: Gene Spafford: "scan detection (was: prfile)"
Previous message: Robert Owen Thomas: "Re: Wanted - Intrusion Detection System for a client"
In reply to: Martin Hargreaves: "Re: prfile"
Next in thread: Gene Spafford: "scan detection (was: prfile)"