Re: Computer Misuse and Detection System

["Talisker" <Talisker () networkintrusion co uk>]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------
Jim

CMDS now KSE is still owned by ODS but they have been renamed as
Intrusion.com    URL on my site http://www.networkintrusion.co.uk/hids/

My thoughts on it are:

Overview

I have been evaluating this product extensively for the last few months, and
I love it (mostly)!  CMDS is a host based IDS from Intrusion.com (formerly
ODS).  It collects event and syslogs from NT4.0, Solaris, Cisco routers,
NetRanger, RealSecure and Checkpoint FW-1, they reckon to be able to collect
log data from any source however I didn't try that.  This data is not only
for bog standard security events but also for attack signatures across
multiple logs, these are then classed according to their severity and
displayed.

CMDS is highly configurable, the attack signatures can be written/altered
within CLIPS, no real programming skills are required for this, I found "cut
& plagerise" to be the best solution.  IMHO one of the best features is it's
recognition of events.  eg if an application passes information to an event
log that CMDS doesn't recognise, it passes it to the screen.  WAIT, I know
what you're thinking, masses of false positives.  Fortunately CMDS stores
them all on an MS SQL database, all new events are given a severity of 3,
after you assess the event, if it's nothing to worry about reduce it to 2 ie
below the threshold with a simple SQL query, however, if it is important eg
your antivirus product has detected a virus, you can raise the severity.
What this means is that CMDS misses nothing that you dont want it to. These
new events can be combined into an attack signature if you wish.  In those
first few weeks though, whilst it's learning you do have your work cut out,
approx 1 hour per day.

It's easy to install, the basic product and agent installation takes just a
few minutes.  The product upgrades are a little rough and need some TLC to
get them working.  The manager/database installation has a few minor
security niggles, ie you have to be logged on as Administrator (has anyone
not renamed this account) and for the SQL to run it has to run on the system
account, rather than a lower privileged user account.

Connections from the agent to the manager are at ports above 14000, I would
prefer to see this fixed to a few definate ports to make firewall
configuration easier.

Event logs are collected at the agent, compressed by a factor of 20 and sent
to the manager at intervals configurable between 1 minute and 15.  This can
be extended to send say once a day if you wish.  The downside of this is
that the local log is not retained in an easily readable form on the host,
this is going to be addresssed on a subsequent release.  Alternatively you
can may be able to make use of MS SQLs live html output feature whereby as
the database receives events a web page is updated with the information.
The system administrator of the concerned network can be given access to his
data through a secured view.

The agent cannot be installed on the manager and database.  A security tool
that cannot protect itself is inexcusable.

There is no heartbeat to alert to the failure of the agent on the host.
Again this is being looked at by Intrusion.
www.networkintrusion.co.uk Listing all known commercial IDS
                    '''
                 (0 0)
  ----oOO----(_)----------
  | The geek shall        |
  |  Inherit the earth     |
  -----------------oOO----
               |__|__|
                  || ||
              ooO Ooo


The opinions contained within this transmission are entirely my own, and do
not necessarily reflect those of my employer.





----- Original Message -----
From: "Meritt, Jim" <Jim.Meritt () wang com>
To: <ids () uow edu au>
Sent: Thursday, August 31, 2000 6:15 PM
Subject: IDS: Computer Misuse and Detection System


> Archive: http://msgs.securepoint.com/ids
> FAQ: http://www.ticm.com/kb/faq/idsfaq.html
> IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> HELP: Having problems... email questions to ids-owner () uow edu au
> NOTE: Remove this section from reply msgs otherwise the msg will bounce.
> SPAM: DO NOT send unsolicted mail to this list.
> UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
> --------------------------------------------------------------------------
---
> I'm looking for information concerning the current status of the Computer
> Miscue and Detection System (CMDS, especially who owns it now (I
understand
> the system has been bought a couple of times since I last went into it in
> depth) and who has done any reviews on it?
>
> Please respond as soon as possible.  I was just handed a "RUSH" thingy out
> of the blue and I immediately thought of this knowledgeable group!
>
> Thanks!
>
> Jim
>
> _______________________
> The opinions expressed above are my own.  The facts simply are and belong
to
> none.
> James W. Meritt, CISSP, CISA
> Senior Secure Systems Engineer at Wang Government Services, Inc.