i suppose you could try stalker and netstalker from haystack labs in austin. stalker doesn't use syslog. it uses the c2 audit trail. > > I guess it figures that the three responses I got via Email were > all about tripwire. Perhaps I wasn't clear enough. I wasn't looking > for an integrity checker to detect changed files on my server. If I > were, I would use Integrity Toolkit (before tripwire, there wat IT!, and > IT is better). > > I am looking for a real-time intrusion detection system that can > take information provided by syslogs and other similar sources coming > from a distributed network of computers, fuse the incoming information, > and detect both patterns that are dissimilar to normal usage patterns > and patters that are indicative of known attack profiles. > > A good example is CMDS by SAIC, but I know there are other such > products, and I am trying to get in touch with the vendors of those > other products to determine if any of them are as viable as CMDS, what > they cost, how they operate, and whether they will meet the needs of my > client. > > I am interested in a package that operates on information from > different sources, including but not limited to Unix varieties and > output from routers. It would be best if it ran on trusted computing > bases, it would be nice if was programmable to allow us to customize it > to meet the client's ever-changing needs, and it would be even better if > it were supported by a substantial commercial organization with a > long-term commitment to its ongoing availability and enhancement. > Finally, it would be nice if the cost were relatively modest for the > value given, taking into account support, customization, etc. > > I hope this has clarified my request for information. > > -- > -> See: Info-Sec Heaven at URL http://all.net > Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 > -- mark seiden, mis@seiden.com, 1-(415) 592 8559 (voice)