Re: Re: DARPA Event Monitoring Enabling Responses to Anomalous Live Disturbances

[<mark.teicher () networkice com>]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------

A life??  What is that???

On Fri, 25 Aug 2000, Talisker wrote:

> Archive: http://msgs.securepoint.com/ids
> FAQ: http://www.ticm.com/kb/faq/idsfaq.html
> IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> HELP: Having problems... email questions to ids-owner () uow edu au
> NOTE: Remove this section from reply msgs otherwise the msg will bounce.
> SPAM: DO NOT send unsolicted mail to this list.
> UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
> -----------------------------------------------------------------------------
> Dragos
> > No offense intended... just trying to lighten up your day, security is sooo
> > serious sometimes.... :-)
>
> None taken, I agree the signal to noise ratio on most vendor sites is way
> too low, I have tried to address this by including a few salient points on
> each product on my site below, however, these are usually cut from the
> vendor websites.  It would be unfair to cut one right down and not another.
> To be honest, the EMERALD description isn't as bad as some.
>
> I also agree that security can be taken way too seriously, fortunately my
> wife keeps reminding me to "Get A Life!!!"  On the subject I'm also looking
> for some more computer security cartoons, any ideas?
>
> Andy
> www.networkintrusion.co.uk  Listing all known commercial IDS and a few good
> freeware ones too
>                     '''
>                  (0 0)
>   ----oOO----(_)----------
>   | The geek shall        |
>   |  Inherit the earth     |
>   -----------------oOO----
>                |__|__|
>                   || ||
>               ooO Ooo
>
>
> The opinions contained within this transmission are entirely my own, and do
> not necessarily reflect those of my employer.
>
> ----- Original Message -----
> From: "Dragos Ruiu" <dr () v-wave com>
> To: "Dragos Ruiu" <dr () dursec com>; "Talisker"
> <Talisker () networkintrusion co uk>; "Meritt, Jim" <Jim.Meritt () wang com>;
> "'Ids" <ids () uow edu au>
> Sent: Thursday, August 24, 2000 11:32 PM
> Subject: Re: IDS: Re: DARPA Event Monitoring Enabling Responses to Anomalous
> Live Disturbances
>
>
> > On Thu, 24 Aug 2000, Talisker wrote:
> > > Just this it's pretty much verbatim from their site
> >
> > Ok this is a little bit like unraveling assembler code.
> > Call it Marketing Dissasembly Translation.... fortunately
> > here at dursec, we've just finished our inverse marketing
> > droid emulator, and we can just have Beaker feed the
> > original text into the machine...
> >
> > Binary:
> > > EMERALD's eXpert-BSM Monitor is a host-based intrusion detection system
> that
> > > provides realtime security monitoring for critical application servers
> and
> > > workstations. eXpert-BSM provides comprehensive knowledge-base for
> detecting
> > > insider misuse, policy violations, privilege misuse or subversion,
> illegal
> > > resource manipulation, and other site policy violations for Sun Solaris
> > > operating systems.
> >
> > Source:
> > Solaris HIDS with a ruleset.
> >
> > Binary:
> > > This component is packaged and distributed as a full
> > > intrusion detection solution, providing data collection, intrusion
> detection
> > > analysis, an alert management interface, and detailed response
> directives.
> > Source:
> > Scripting, GUI
> >
> >
> > Binary:
> > > The EMERALD eXpert (pronounced E-expert) is a highly targetable
> > > signature-analysis engine based on the expert system shell P-BEST.
> Under
> > > EMERALD's eXpert architecture, event-stream-specific rule sets are
> > > encapsulated within resource objects that are then instantiated with an
> > > EMERALD monitor, and which can then be distributed to an appropriate
> > > observation point in the computing environment.  This enables a spectrum
> of
> > > configurations from lightweight distributed eXpert signature engines to
> > > heavy-duty centralized host-layer eXpert engines, such as those
> constructed
> > > for use in eXpert's predecessors, NIDES (Next-Generation Intrusion
> Detection
> > > Expert System), and MIDAS (Multics Intrusion Detection Alerting System).
> In
> > > a given environment, P-BEST-based eXperts may be independently
> distributed
> > > to analyze the activity of multiple network services (e.g., FTP, SMTP,
> HTTP)
> > > or network elements (e.g., a router or firewall).  As each EMERALD
> eXpert is
> > > deployed to its target, it is instantiated with an appropriate resource
> > > object (e.g., an FTP resource object for FTP monitoring), while the
> eXpert
> > > code base remains independent of the analysis target.
> >
> > Source:
> > OO gobbledy gookized jargon offal for: you can run different reports and
> > rulesets on different sensors from a db of rules and consolidate reports.
> >
> >
> > No offense intended... just trying to lighten up your day, security is
> sooo
> > serious sometimes.... :-)
> >
> > cheers,
> > --dr
> >
> > --
> > Dragos Ruiu <dr () dursec com>     dursec.com ltd. / kyx.net - we're from the
> future
> > pgp fingerprint: 18C7 E37C 2F94 E251 F18E  B7DC 2B71 A73E D2E8 A56D
> > pgp key: http://www.dursec.com/drkey.asc