Re: Re: DARPA Event Monitoring Enabling Responses to Anomalous Live Disturbances

[Dragos Ruiu <dr () v-wave com>]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------
On Thu, 24 Aug 2000, Talisker wrote:
> Just this it's pretty much verbatim from their site

Ok this is a little bit like unraveling assembler code.  
Call it Marketing Dissasembly Translation.... fortunately
here at dursec, we've just finished our inverse marketing 
droid emulator, and we can just have Beaker feed the 
original text into the machine...

Binary:
> EMERALD's eXpert-BSM Monitor is a host-based intrusion detection system that
> provides realtime security monitoring for critical application servers and
> workstations. eXpert-BSM provides comprehensive knowledge-base for detecting
> insider misuse, policy violations, privilege misuse or subversion, illegal
> resource manipulation, and other site policy violations for Sun Solaris
> operating systems. 

Source:
Solaris HIDS with a ruleset.

Binary:
> This component is packaged and distributed as a full
> intrusion detection solution, providing data collection, intrusion detection
> analysis, an alert management interface, and detailed response directives.

Source:
Scripting, GUI


Binary:
> The EMERALD eXpert (pronounced E-expert) is a highly targetable
> signature-analysis engine based on the expert system shell P-BEST.  Under
> EMERALD's eXpert architecture, event-stream-specific rule sets are
> encapsulated within resource objects that are then instantiated with an
> EMERALD monitor, and which can then be distributed to an appropriate
> observation point in the computing environment.  This enables a spectrum of
> configurations from lightweight distributed eXpert signature engines to
> heavy-duty centralized host-layer eXpert engines, such as those constructed
> for use in eXpert's predecessors, NIDES (Next-Generation Intrusion Detection
> Expert System), and MIDAS (Multics Intrusion Detection Alerting System).  In
> a given environment, P-BEST-based eXperts may be independently distributed
> to analyze the activity of multiple network services (e.g., FTP, SMTP, HTTP)
> or network elements (e.g., a router or firewall).  As each EMERALD eXpert is
> deployed to its target, it is instantiated with an appropriate resource
> object (e.g., an FTP resource object for FTP monitoring), while the eXpert
> code base remains independent of the analysis target.

Source:
OO gobbledy gookized jargon offal for: you can run different reports and
rulesets on different sensors from a db of rules and consolidate reports.


No offense intended... just trying to lighten up your day, security is sooo
serious sometimes.... :-)

cheers,
--dr

-- 
Dragos Ruiu <dr () dursec com>     dursec.com ltd. / kyx.net - we're from the future 
pgp fingerprint: 18C7 E37C 2F94 E251 F18E  B7DC 2B71 A73E D2E8 A56D 
pgp key: http://www.dursec.com/drkey.asc