IDS mailing list archives

Re: HIDS for logon authentication

From: harald () deppeler org
Date: Sat, 22 May 2004 10:34:12 +0200

Hi 

I'm actually in the process of trying to implement a host-based IDS
that can monitor and alarm on remote logons on Solaris 8 (and other
operating systems). Basically, it imposes a second login for remote
ptys.
It's still beta but it seems to work ... ;-)

Have a look at http://sid.sourceforge.net/

Cheers - Harry

On Fri, May 21, 2004 at 01:28:36PM +0100, Joe Dauncey wrote:

Hi,

I am looking for a Host-Based IDS that can monitor and alarm on remote logons on Solaris 8.

I've looked at both ISS Server Sensor and Cisco Security Agent, but it currently seems that in order to look at 
people logging onto the system remotely via SSH I will have to design custom signatures/monitors that will read 
syslog output from SSH. In the case of ISS Server Sensor, it will only capture logons via the Trusted Computing Base 
(TCB) but since we use SSH as an add-on, it's not included. We'd have to force users to use telnet in order to 
capture the logons (not an option!). CSA is similar - it requires something custom to act on the syslog.

If this was all I wanted to do than I would probably looking at something like secure syslog, or a similar 
log-parsing tool, but we really want the other HIDS functionality as well, and I am keen to avoid having to write 
custom scripts.

The primary requirement is to be able to create alarms based on people logging onto the system, and failing to logon. 
However, we still want some other HIDS functionality.

I was taking it for granted that most HIDS would be able to detect and alarm on logons, but it seems I was wrong :-(

Any feedback would be greatly appreciated.

Thanks,
Joe
-- 

Joe Dauncey

---------------------------------------------------------------------------

---------------------------------------------------------------------------


---------------------------------------------------------------------------

---------------------------------------------------------------------------

Current thread:

HIDS for logon authentication Joe Dauncey (May 21)
- Re: HIDS for logon authentication Skip Carter (May 22)
- Re: HIDS for logon authentication Sam Stover (May 22)
- Re: HIDS for logon authentication harald (May 22)
- RE: HIDS for logon authentication Jason J. W. Williams (May 22)
- <Possible follow-ups>
- Re: HIDS for logon authentication Drew Simonis (May 23)