Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] Audit package
From: Talisker <Talisker () NETWORKINTRUSION CO UK>
Date: Fri, 29 Sep 2000 23:10:17 +0100

Hiromi

I saw your mail on the pen-test list but I'm not absolutely sure what it is
you need.

A Sun Basic Security Module (BSM) page is at
http://docs.sun.com/ab2/coll.47.4/SHIELD/@Ab2PageView/7906?Ab2Lang=C&Ab2Enc=
iso-8859-1 there is a guide to audit trail analysis

with tools at
http://docs.sun.com/ab2/coll.47.4/SHIELD/@Ab2PageView/idmatch(CH3TRAIL-18308
)#CH3TRAIL-18308?Ab2Lang=C&Ab2Enc=iso-8859-1

The USAF sponsored Linux equivalent is at
http://www.netsq.com/Research/LinuxAudit/index.php3
there are loads of links there

Have you seen the Linux BSM site http://linuxbsm.sourceforge.net/

if you need more info let me know

Andy
http://www.networkintrusion.co.uk/ The IDS List
                    '''
                 (0 0)
  ----oOO----(_)----------
  | The geek shall        |
  |  Inherit the earth     |
  -----------------oOO----
               |__|__|
                  || ||
              ooO Ooo


The opinions contained within this transmission are entirely my own, and do
not necessarily reflect those of my employer.





----- Original Message -----
From: "Hiromi Yanaoka" <yanaoka () LAC CO JP>
To: <PEN-TEST () SECURITYFOCUS COM>
Sent: Friday, September 29, 2000 5:58 PM
Subject: Re: [PEN-TEST] Audit package


   "Re: [PEN-TEST] Audit package"
   "Talisker <Talisker () NETWORKINTRUSION CO UK>" wrote:

Theres a description on each and links to the vendor sites on my site
below
http://www.networkintrusion.co.uk/ The IDS List

I have checked this well-summarized page of IDS List.

My search focus for IDS is which HIDS applies BSM on Solaris.
I understand that BSM is a powerful way of detecting and tracing
intrusions on the host-base.  Yet, it is not widely known for lack
of good documentation.

You can also find a list of HIDS from:
http://www.securityfocus.com/templates/tools_category.html?
category=17&platform=&path=[%20intrusion%20detection%20][%20host%20]

In addition, there are some good papers such as
http://www.securityfocus.com/focus/ids/articles/idsbsm.html
http://www.ce.chalmers.se/staff/sax/unix-sec-log.pdf
and others...

Since BSM keeps logs at a very low level(system call level) and
provides details on what actually an intruder did, BSM is a
nice tool for forensic cases as well.  Yet, this means also you
end up with huge logs which are incomprehensible and unreasonable
to trace with human beings' eyes.  Therefore, there is no use unless
there is a system which interprets to the human readable as the
paper above points out you need some kind of scripts or something
to make BSM more useful.  Although BSM includes some utilities
their features are limited.  If you want to *analyze* logs, it needs
something else.

So, my question leads to which ones are the one that are making BSM
more useful.  Please forgive me if my question overlaps some of
the threads from IDS ML and if this is unrelated for this ML.

From what I have found out so far, those using BSM are as follows
(from Talisker's post):

EMERALD eXpert-BSM
RealSecure Agent  auditGUARD

#Since my due for the search is coming up, I have decided to
#throw a question here.


Thanx.

Ciao

--Hiromi



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault