FAQ: See http://www.ticm.com/kb/faq/idsfaq.html IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html HELP: Having problems.. Then email questions to ids-owner@uow.edu.au NOTE: You MUST remove this line from reply messages as it will be filtered. SPAM: DO NOT send unsolicted mail to this list. USUB: email "unsubscribe ids" to majordomo@uow.edu.au --------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- > Have you looked at Network Flight Recorder? (www.nfr.net) I've not taken a look at their product as of yet. But I will check it out to see what they have to offer. I'll probably give them a call next week to see if they can come out to our site. > NT is a bloated insecure resource hog that isn't worth using for _any_ > critical > data, nonetheless anything remotely to do with security. :) We all > know this, but _why_ I say _why_ do we consistently insist on deploying > this garbage? Well the other side of the coin is that 100% of our clients are Windows based and are non-technical, making the platform an ideal choice. Each OS has it's place as I feel that each one has it's merits. (If we were all on one platform life would be boring). For the security side, UNIX still has many new vulnerabilities introduced to it as well as NT does, thus the discussion on Intrusion Detection ;-) It's up to the systems administrators to actually do there job to insure the protection of their hosts and network. Also I'll post on our findings of the various products we test....I'm hoping that the next evolution of IDS products will continually get better and be more applicable to today's networks. It would be great if the NFR product does fit this mold today with the ever increasing fast ethernet topologies out there. By the way does the product detect the signature of NMAP (I know, this one is a tough one to pick out with the randomization that it does)? > 2-3 days (consistently) behind in churning the logs. Man, that's pretty > bad.. I can't think of a cost prohibitive way of deploying Kane in such > a manor. Does your organization insist on host based security? Does > the architecture insist it reside solely on NT boxes? The way their solution works is that you have an agent running on all of the server you want monitored (PDC's, BDC's, etc). It then sends the information to a stand alone server that writes the logs to a database if the patterns your looking for is detected. The down side to the product is that it utilizes a flat file database...if it were relational the speed and performance would be greatly enhanced. > > It'd be a lot more efficient to write your own external process that > swept the logs (or have NT transfer the logs) to a more reliable > architecture > (like OpenBSD, FreeBSD, etc..) that would slice and dice them faster than > Martha Stewart on a real good day. :) > I would actually prefer to write perl scripts to accomplish what the product is doing. You can parse out the specific events that you are looking for as this would be faster. The problem with that is finding the time to do this (as with everything). Plus Kane was pre-existing before I got on site. -Jd -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.0.2 Comment: http://www.jdixon.com iQEVAwUBNvPwnDBbe1Vt3kgLAQHwBAf/eVvVjcAaRR70y7IbQUOEC9EoQmAmo6m+ AEJJtkWbw73KGH6xqCT3w+XO7gJKspw+cWaBGX5GLS1ua4dQRxFGaF5q6urA/h/9 +YCO6SA4NcWp4s5j6+QCk24TtbhA130F60rRqXWbMe41QAmG5VZ1CAlyfnC5Dh7a AvN8UuAk+0nAToRQH0+3k65HLCY4hCyObTsqIE5jfEg9T0K5IVy3NMFXKmtpFqqP cZHj3Cc3v3SLyf13hKvL9QpMNKaGgpzCEdTnYhUsG/Q1ppq9/wZ+CMIsH8zd/tLo NpAtCz1zdFsLL0Mkm6fO7iWGLJ0vCEwVhDE8kq/6Gi3rrkc/nWSqEA== =Q10q -----END PGP SIGNATURE-----