Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] Audit package
From: Talisker <Talisker () NETWORKINTRUSION CO UK>
Date: Thu, 28 Sep 2000 21:12:10 +0100

H Carvey hit the nail on the head with this

However, keep in mind...regardless of what system
you're on, no sort or parsing tool will work if the
information isn't being logged.  For much of what
you're looking for on NT, you need to pay attention not
only to the EventLog settings, but ACLs, as well.

Great point, unfortunately one that can't be repeated enough.
Another tool to throw into the equation is KSE (formerly) CMDS that will
check logs from Solaris, NT, Cisco etc and look for attack signatures.
Moreover, and probably what you were after, you can tag certain users and
follow their activities What (IMHO) sets KSE above some of the other HIDS is
that it passes all logs to the manager and stores them on an SQL database,
any info you want can be gleaned from a simple query.

There is a plethora of commercial HIDS it's worth spending a little time to
find out which one best meets your requirements
Abacus Project
Centrax
EMERALD eXpert-BSM
E-Trust Audit
KSM
Precis   Appshield
CMDS Entercept
Intruder Alert
Nocol
RealSecure Agent  auditGUARD
Dragon Squire
Entercept Web SE
Kane Secure Enterprise KSE
praesidium
Swatch

Theres a description on each and links to the vendor sites on my site below
http://www.networkintrusion.co.uk/ The IDS List
                    '''
                 (0 0)
  ----oOO----(_)----------
  | The geek shall        |
  |  Inherit the earth     |
  -----------------oOO----
               |__|__|
                  || ||
              ooO Ooo


The opinions contained within this transmission are entirely my own, and do
not necessarily reflect those of my employer.





----- Original Message -----
From: "H Carvey" <keydet89 () YAHOO COM>
To: <PEN-TEST () SECURITYFOCUS COM>
Sent: Wednesday, September 27, 2000 6:14 PM
Subject: Re: [PEN-TEST] Audit package


I'd like to throw a couple of other tools into the mix,
specifically regarding NT...

NTObjectives  has NTLast, which might also be
useful.

Of course, using Perl is a great answer.  I've written
several scripts that pull the EventLogs from NT
systems...all that needs to be done is the proper
sorting/parsing.

However, keep in mind...regardless of what system
you're on, no sort or parsing tool will work if the
information isn't being logged.  For much of what
you're looking for on NT, you need to pay attention not
only to the EventLog settings, but ACLs, as well.



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]