Hosting Provided By

Re: Low cost HID based IDS system

From: SecurIT Informatique Inc. <securit(at)iquebec.com>
Date: Mon May 19 2003 - 15:29:37 EDT

Hello all. It just happen that I will be releasing at the end of the week just what you are looking for. I will be releasing on my company website (http://securit.iquebec.com) a series of tools, some of them updates to existing ones, and some completely new, and I think that taken together the package will probably change the way we look at intrusion detection.

First of all, I will be releasing LogAgent 4.0, both in Open Source and Pro version. This is a tool for monitoring and centralising ascii log files and the Events from the Event Viewer. New with version 4.0 is that there is 2 companion tools that ships freely with it,and are completely Open Source. These tools are ADSScan, an alternate data streams scanner, and the combo HashGen and IntegCheck, that is a classical HID system. These 2 tools doesn't require necessarily LogAgent to run, altough it needs one of its configuration file. They are command prompt tools, the Pro version offers some more functionality (produces some forensics-related data), ships with a 5-machines license, and licensing costs will be low enough to make it affordable to deploy on each host on the network, not simply the servers (exact prices still have to be determined, see my webpage next week for numbers).

As a side tool, there is also ComLog 1.05, available both in Open Source and Pro versions, which is a Command Prompt logger, useful to monitor activities taken by crackers on compromised machines. Sessions are kept in ascii log files, which can then be centralized with LogAgent.

And finally, what will probably be of themost interest for you, the console, is handled by my most recent tool, LogIDS 1.0, also available in Open Source and Pro versions (Pro contains more features, such as automatic handling of ComLog, Event Viewer or Snort logs), and can be bestly described as a multi-windowed log monitoring and analysis intrusion detection system. What I mean by "multi-windowed" is that unlike the other "log analysis" softwares out there, my GUI is not a simple display of log lines after log lines in one single screen; instead, the GUI represents a logical representation of your network map, where each node (be it a machine or a subnet) has its own window where logs relating to this machine will get displayed. LogIDS also comes with intuitive icons that can help visualize the actions reported by the logs even before you actually look at the data, and can emit sounds for alerts and warnings. The cost wil also be affordable, and will include licenses for LogAgent as well. The main strenght of this tool is that is gains for the strenghts of the other security tools deployed in your environment : HID (IntegCheck and ADSScan), Event Viewer, ComLog, supplemental data generated by LogAgent 4.0 Pro, but also popular NID Snort, personal firewalls like ZoneAlarm or Outpost, and antivirus, just to name a few.

I will not make this e-mail any longer describing these tools, to make them real justice I'd almost have to put the whole doc. But this should be enough to explain the main principles behind these tools and how they can help you (and many others, I hope) in your task. I will publish announcements in the mailing lists when these softwares are available online, but you can expect it by the end of this week or the beginning of the next.

Hope this helps.

Adam Richard, aka Floydman
http://securit.iquebec.com
securit@iquebec.com

At 01:17 AM 16/05/2003, Zach Forsyth wrote:

Do you need help?

>Hi,
>
>I just wanted to ask if anyone out there had some ideas in regards to

INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids2

Received on Tue May 20 13:00:18 2003

This message: [ Message body ]
Next message: Alan Shimel: "RE: Low cost HID based IDS system"
Previous message: barak_israel(at)hotmail.com: "ISS Network Sensor Compatible Appliance"
In reply to Zach Forsyth: "Low cost HID based IDS system"
Reply: Alan Shimel: "RE: Low cost HID based IDS system"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:12 EDT