RE: IDS: Network Intrusion Detection
Jerry Dixon Jr (jerry@jdixon.com)
Sat, 20 Mar 1999 14:02:03 -0500
FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems.. Then email questions to ids-owner@uow.edu.au
NOTE: You MUST remove this line from reply messages as it will be filtered.
SPAM: DO NOT send unsolicted mail to this list.
USUB: email "unsubscribe ids" to majordomo@uow.edu.au
---------------------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
> Have you looked at Network Flight Recorder? (www.nfr.net)
I've not taken a look at their product as of yet. But I will check it
out to see what they have to offer. I'll probably give them a call
next week to see if they can come out to our site.
> NT is a bloated insecure resource hog that isn't worth using for
_any_
> critical
> data, nonetheless anything remotely to do with security. :) We all
> know this, but _why_ I say _why_ do we consistently insist on
deploying
> this garbage?
Well the other side of the coin is that 100% of our clients are
Windows based and are non-technical, making the platform an ideal
choice. Each OS has it's place as I feel that each one has it's
merits. (If we were all on one platform life would be boring). For
the security side, UNIX still has many new vulnerabilities introduced
to it as well as NT does, thus the discussion on Intrusion Detection
;-) It's up to the systems administrators to actually do there job to
insure the protection of their hosts and network.
Also I'll post on our findings of the various products we test....I'm
hoping that the next evolution of IDS products will continually get
better and be more applicable to today's networks. It would be great
if the NFR product does fit this mold today with the ever increasing
fast ethernet topologies out there.
By the way does the product detect the signature of NMAP (I know, this
one is a tough one to pick out with the randomization that it does)?
> 2-3 days (consistently) behind in churning the logs. Man, that's
pretty
> bad.. I can't think of a cost prohibitive way of deploying Kane in
such
> a manor. Does your organization insist on host based security? Does
> the architecture insist it reside solely on NT boxes?
The way their solution works is that you have an agent running on all
of the server you want monitored (PDC's, BDC's, etc). It then sends
the information to a stand alone server that writes the logs to a
database if the patterns your looking for is detected. The down side
to the product is that it utilizes a flat file database...if it were
relational the speed and performance would be greatly enhanced.
>
> It'd be a lot more efficient to write your own external process that
> swept the logs (or have NT transfer the logs) to a more reliable
> architecture
> (like OpenBSD, FreeBSD, etc..) that would slice and dice them faster
than
> Martha Stewart on a real good day. :)
>
I would actually prefer to write perl scripts to accomplish what the
product is doing. You can parse out the specific events that you are
looking for as this would be faster. The problem with that is finding
the time to do this (as with everything). Plus Kane was pre-existing
before I got on site.
-Jd
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.0.2
Comment: http://www.jdixon.com
iQEVAwUBNvPwnDBbe1Vt3kgLAQHwBAf/eVvVjcAaRR70y7IbQUOEC9EoQmAmo6m+
AEJJtkWbw73KGH6xqCT3w+XO7gJKspw+cWaBGX5GLS1ua4dQRxFGaF5q6urA/h/9
+YCO6SA4NcWp4s5j6+QCk24TtbhA130F60rRqXWbMe41QAmG5VZ1CAlyfnC5Dh7a
AvN8UuAk+0nAToRQH0+3k65HLCY4hCyObTsqIE5jfEg9T0K5IVy3NMFXKmtpFqqP
cZHj3Cc3v3SLyf13hKvL9QpMNKaGgpzCEdTnYhUsG/Q1ppq9/wZ+CMIsH8zd/tLo
NpAtCz1zdFsLL0Mkm6fO7iWGLJ0vCEwVhDE8kq/6Gi3rrkc/nWSqEA==
=Q10q
-----END PGP SIGNATURE-----