Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos network security services platform







IDS: Re: Host Based IDS

Re: Host Based IDS

From: Security Group <secgro_at_gmail.com>
Date: Mon, 1 Dec 2008 14:43:29 +0100

Hi,

First of all many thanks for your replies and excuse me for my late response.

Your requests for clarification are justified. I will describe the situation:

We have Windows servers (60+) with custom server applications (self
developed software) which are in the DMZ.

There is already a network based IDS present based on S-flow packets.

But since the DMZ is the first base on the way-in by any hacker we
want intrusion detection on the machines in the DMZ.

We now have a very simple IDS in place which monitors process starts.
This HIDS will report an alert if an abnormal process start will occur
 (i.e. a reverse shell will start cmd.exe in an abnormal fashion).
This is only one simple abnormality check on a host. We are wondering
if there are other host based IDS which check for abnormal process
start and much more (file integrity, event log, etc) .

Which HIDS will provide abnormality checking (process starts, event
log, file integrity, etc) on a host the best:
OSSEC
Open Source Tripwire
SAMHAIN
OSIRIS
AIDE
Third Brigade Deep Security
Symantec Critical System Protection
IBM Proventia
Enterasys Dragon IDS/IPS
McAfee Total Protection for Endpoint
CA Host-Based Intrusion Prevention System r8
GFiEventsManager
Cisco Security Agent

Btw are their HIDS that can detect all-in-memory exploits (without the
need of starting a process via the kernel)?

Thank you for your time and advice,
Timo Babel

2008/10/20 Erik Harrison <eharrison_at_gmail.com>:
> how many servers, os variations, what kind of changes are you looking
> to detect? basic file changes are easy, it's the rest of it that's
> complicated and functionality will vary. past that, reporting will be
> important to the managers, execs and if you have a lot of other things
> to manage - to you as well.
>
> what exactly do you want to show them, will you need to back up any
> other responses with relevant data from your org? any other compliance
> or security initiatives in the company that you could support with the
> package or product?

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
Received on Dec 01 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]