Intrusion Detection Systems mailing list archives

Re: Re: DARPA Event Monitoring Enabling Responses to Anomalous Live Disturbances

From: "Talisker" <Talisker () networkintrusion co uk>
Date: Fri, 25 Aug 2000 11:00:04 +0100

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------
Dragos

No offense intended... just trying to lighten up your day, security is sooo
serious sometimes.... :-)


None taken, I agree the signal to noise ratio on most vendor sites is way
too low, I have tried to address this by including a few salient points on
each product on my site below, however, these are usually cut from the
vendor websites.  It would be unfair to cut one right down and not another.
To be honest, the EMERALD description isn't as bad as some.

I also agree that security can be taken way too seriously, fortunately my
wife keeps reminding me to "Get A Life!!!"  On the subject I'm also looking
for some more computer security cartoons, any ideas?

Andy
www.networkintrusion.co.uk  Listing all known commercial IDS and a few good
freeware ones too
                    '''
                 (0 0)
  ----oOO----(_)----------
  | The geek shall        |
  |  Inherit the earth     |
  -----------------oOO----
               |__|__|
                  || ||
              ooO Ooo


The opinions contained within this transmission are entirely my own, and do
not necessarily reflect those of my employer.

----- Original Message -----
From: "Dragos Ruiu" <dr () v-wave com>
To: "Dragos Ruiu" <dr () dursec com>; "Talisker"
<Talisker () networkintrusion co uk>; "Meritt, Jim" <Jim.Meritt () wang com>;
"'Ids" <ids () uow edu au>
Sent: Thursday, August 24, 2000 11:32 PM
Subject: Re: IDS: Re: DARPA Event Monitoring Enabling Responses to Anomalous
Live Disturbances

On Thu, 24 Aug 2000, Talisker wrote:


Just this it's pretty much verbatim from their site


Ok this is a little bit like unraveling assembler code.
Call it Marketing Dissasembly Translation.... fortunately
here at dursec, we've just finished our inverse marketing
droid emulator, and we can just have Beaker feed the
original text into the machine...

Binary:

EMERALD's eXpert-BSM Monitor is a host-based intrusion detection system

that

provides realtime security monitoring for critical application servers

and

workstations. eXpert-BSM provides comprehensive knowledge-base for

detecting

insider misuse, policy violations, privilege misuse or subversion,

illegal

resource manipulation, and other site policy violations for Sun Solaris
operating systems.


Source:
Solaris HIDS with a ruleset.

Binary:

This component is packaged and distributed as a full
intrusion detection solution, providing data collection, intrusion

detection

analysis, an alert management interface, and detailed response

directives.


Source:
Scripting, GUI


Binary:

The EMERALD eXpert (pronounced E-expert) is a highly targetable
signature-analysis engine based on the expert system shell P-BEST.

Under

EMERALD's eXpert architecture, event-stream-specific rule sets are
encapsulated within resource objects that are then instantiated with an
EMERALD monitor, and which can then be distributed to an appropriate
observation point in the computing environment.  This enables a spectrum

of

configurations from lightweight distributed eXpert signature engines to
heavy-duty centralized host-layer eXpert engines, such as those

constructed

for use in eXpert's predecessors, NIDES (Next-Generation Intrusion

Detection

Expert System), and MIDAS (Multics Intrusion Detection Alerting System).

In

a given environment, P-BEST-based eXperts may be independently

distributed

to analyze the activity of multiple network services (e.g., FTP, SMTP,

HTTP)

or network elements (e.g., a router or firewall).  As each EMERALD

eXpert is

deployed to its target, it is instantiated with an appropriate resource
object (e.g., an FTP resource object for FTP monitoring), while the

eXpert

code base remains independent of the analysis target.


Source:
OO gobbledy gookized jargon offal for: you can run different reports and
rulesets on different sensors from a db of rules and consolidate reports.


No offense intended... just trying to lighten up your day, security is

sooo

serious sometimes.... :-)

cheers,
--dr

--
Dragos Ruiu <dr () dursec com>     dursec.com ltd. / kyx.net - we're from the

future

pgp fingerprint: 18C7 E37C 2F94 E251 F18E  B7DC 2B71 A73E D2E8 A56D
pgp key: http://www.dursec.com/drkey.asc

Current thread:

DARPA Event Monitoring Enabling Responses to Anomalous Live Distu rbances Meritt, Jim (Aug 24)
- Re: DARPA Event Monitoring Enabling Responses to Anomalous Live Distu rbances Keiji Takeda (Aug 24)
- Re: DARPA Event Monitoring Enabling Responses to Anomalous Live Disturbances Talisker (Aug 24)
  - Message not available
    - Re: Re: DARPA Event Monitoring Enabling Responses to Anomalous Live Disturbances Dragos Ruiu (Aug 25)
    - Re: Re: DARPA Event Monitoring Enabling Responses to Anomalous Live Disturbances Talisker (Aug 25)
    - Re: Re: DARPA Event Monitoring Enabling Responses to Anomalous Live Disturbances mark.teicher (Aug 25)