Re: DARPA Event Monitoring Enabling Responses to Anomalous Live Disturbances

["Talisker" <Talisker () networkintrusion co uk>]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------
Jim

> Anyone have information (besides their Aug 14 pres release, of course) on
> EMERALD

Just this it's pretty much verbatim from their site

EMERALD's eXpert-BSM Monitor is a host-based intrusion detection system that
provides realtime security monitoring for critical application servers and
workstations. eXpert-BSM provides comprehensive knowledge-base for detecting
insider misuse, policy violations, privilege misuse or subversion, illegal
resource manipulation, and other site policy violations for Sun Solaris
operating systems. This component is packaged and distributed as a full
intrusion detection solution, providing data collection, intrusion detection
analysis, an alert management interface, and detailed response directives.
The EMERALD eXpert (pronounced E-expert) is a highly targetable
signature-analysis engine based on the expert system shell P-BEST.  Under
EMERALD's eXpert architecture, event-stream-specific rule sets are
encapsulated within resource objects that are then instantiated with an
EMERALD monitor, and which can then be distributed to an appropriate
observation point in the computing environment.  This enables a spectrum of
configurations from lightweight distributed eXpert signature engines to
heavy-duty centralized host-layer eXpert engines, such as those constructed
for use in eXpert's predecessors, NIDES (Next-Generation Intrusion Detection
Expert System), and MIDAS (Multics Intrusion Detection Alerting System).  In
a given environment, P-BEST-based eXperts may be independently distributed
to analyze the activity of multiple network services (e.g., FTP, SMTP, HTTP)
or network elements (e.g., a router or firewall).  As each EMERALD eXpert is
deployed to its target, it is instantiated with an appropriate resource
object (e.g., an FTP resource object for FTP monitoring), while the eXpert
code base remains independent of the analysis target.

www.networkintrusion.co.uk Listing all known commercial IDS
                    '''
                 (0 0)
  ----oOO----(_)----------
  | The geek shall        |
  |  Inherit the earth     |
  -----------------oOO----
               |__|__|
                  || ||
              ooO Ooo


The opinions contained within this transmission are entirely my own, and do
not necessarily reflect those of my employer.





----- Original Message -----
From: "Meritt, Jim" <Jim.Meritt () wang com>
To: "'Ids" <ids () uow edu au>
Sent: Wednesday, August 23, 2000 8:46 PM
Subject: IDS: DARPA Event Monitoring Enabling Responses to Anomalous Live
Disturbances


> Archive: http://msgs.securepoint.com/ids
> FAQ: http://www.ticm.com/kb/faq/idsfaq.html
> IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> HELP: Having problems... email questions to ids-owner () uow edu au
> NOTE: Remove this section from reply msgs otherwise the msg will bounce.
> SPAM: DO NOT send unsolicted mail to this list.
> UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
> --------------------------------------------------------------------------
---
> Anyone have information (besides their Aug 14 pres release, of course) on
> EMERALD?
>
> Thanks!
>
> _______________________
> The opinions expressed above are my own.  The facts simply are and belong
to
> none.
> James W. Meritt, CISSP, CISA
> Senior Secure Systems Engineer at Wang Government Services, Inc.