Re: Intrusion detection, Tripwire, etc

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Christopher Klaus: "Security Mailing Lists"
• Previous message: Jim Truitt: "Intrusion Detection Systems (IDS) Archives"
• In reply to: Gene Spafford: "Intrusion detection, Tripwire, etc"

> 1st comment: "better" is relative to some metrics.  If the metrics
> include low cost, availability of source code, portability to lots of
> different versions of Unix, or configurability, then Tripwire is
> probably better.  However, it really depends on what you want.  As I
> gather you had something to do with IT, I can understand why you might
> believe it better. :-)

IT is free to me, I have the source code,, it works on every version of
Unix I have ever tried it on, it's more configurable with a better GUI
than tripwire, and it does a great deal more, but I don't want to go on
because I might be accused of advertising. 

> 2nd comment: Tripwire is more than an integrity checker that notes
> changed files on a server, if you so configure it.

I am sorry I understanted the case for tripwire in this way, I hope you
are not upset that I failed to mention the other fine features.  Perhaps
you will mention them in your next posting.

> 3rd comment: Systems that snapshot certain file system
> characteristics, especially "honey pot" entities, can be used as a
> form of cheap intrusion detection.  Most system crackers will either
> install backdoors for re-entry, or unwittingly alter file system and
> directory characteristics if they are snooping about.   A detector
> monitoring for such change will provide a warning even if nothing else
> does.  We've had scores of such reports from Tripwire users.  That may
> explain why you got such a response to your query.

I certainly believe that your users are happy with your product, and I
didn't mean to underplay the import of cheap products to the global
community.  Nevertheless, it's not what I am looking for. 

...
> 4th comment:  You are basically looking for the "Holy Grail" of IDS.
> You want it to do everything, on every machine, and be available for
> low cost.  Good goals. However, you need to specify what you are
> willing to sacrifice to achieve them.  Dynamism?  Efficiency?
> Rejection of false alarms?  Coverage?  

I want to know the market so I can help clients (one in particular right
now) make educated decisions.  I want to know as much as the vendors can
tell me about them, including these parameters you describe and many
others - like availability of support, and liability for failures, and
data fusion capabilities, and throughput, and the ability to correlate
data of different sorts, and the ability to set different criteria for
response, and automated response capability, and how they interact with
other systems in the environment, and the management interface, and the
reports they generate, and how they protect their own integrity, and on
and on and on.  In other words, I am looking for commercial products
from commercial vendors that meet the commercial needs of commercial
clients.  I am not looking to glue and paste something together, or to
create a maintenance nightmare, or to invest in a research project.

> 5th comment: Anomaly-based detectors (what you are requesting first)
> tend to be very large and/or slow, and tend to suffer significant
> false-alarm rates.  This is the nature of the beast, whether
> rule-based or statistical in nature.

Not necessarily so.  Perhaps you are not up-to-date on this area of
intrusion detection, or perhaps I misunderstand your ideas of big, slow,
false-alarm rates, etc.  I'm not concerned that it won't do the job on a
386sx PC - I want to know what job it does on what kind of machine,
whether it will fit the needs of my clients, and what it costs.

> Misuse detectors (the other
> approach, "known attack profiles") will not work against new and
> unknown attacks.  As time goes on, I am more convinced that the best
> systems are those that monitor effects and goals rather than activity
> and user behavior.

I think of misuse detection as broader than "known attack profiles",
however, it is my feeling that the combination of known attack profile
detection and anomaly-based detection (as you put it) is likely to be
better than either alone for the purposes of my client.  I could be
wrong.

In terms of detecting corruption, I am confident that that issue is
already handled for my client.  What I am trying to find is real-time
intrusion detection.

> If I get several requests, I'll be happy to expand on this whole
> thread.  If you haven't read the related-work chapter in Kumar's
> dissertation, you might want to -- it explains some of this, too:
>    http://www.cs.purdue.edu/coast/coast-library.html

Please expand away.  If you know of any vendors with products that can
provide this capability and if can you tell me what they cost, their
limitations, how they work, about their support programs, etc.  I will
be happy to see your next posting.

-- 
-> See: Info-Sec Heaven at URL http://all.net
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236

• Next message: Christopher Klaus: "Security Mailing Lists"
• Previous message: Jim Truitt: "Intrusion Detection Systems (IDS) Archives"
• In reply to: Gene Spafford: "Intrusion detection, Tripwire, etc"