RE: HIDS for logon authentication

["Jason J. W. Williams" <williamsjj-subs () digitarx com>]

Mr. Dauncey,

        You might want to take a look at Entercept from McAfee. It looks
like a very full-featured HIDS and they have a Solaris agent.

Best Regards,
Jason J. W. Williams

-----Original Message-----
From: Joe Dauncey [mailto:secdistlist () dauncey net] 
Sent: Friday, May 21, 2004 6:29 AM
To: focus-ids () securityfocus com
Subject: HIDS for logon authentication

Hi,

I am looking for a Host-Based IDS that can monitor and alarm on remote
logons on Solaris 8.

I've looked at both ISS Server Sensor and Cisco Security Agent, but it
currently seems that in order to look at people logging onto the system
remotely via SSH I will have to design custom signatures/monitors that will
read syslog output from SSH. In the case of ISS Server Sensor, it will only
capture logons via the Trusted Computing Base (TCB) but since we use SSH as
an add-on, it's not included. We'd have to force users to use telnet in
order to capture the logons (not an option!). CSA is similar - it requires
something custom to act on the syslog.

If this was all I wanted to do than I would probably looking at something
like secure syslog, or a similar log-parsing tool, but we really want the
other HIDS functionality as well, and I am keen to avoid having to write
custom scripts.

The primary requirement is to be able to create alarms based on people
logging onto the system, and failing to logon. However, we still want some
other HIDS functionality.

I was taking it for granted that most HIDS would be able to detect and alarm
on logons, but it seems I was wrong :-(

Any feedback would be greatly appreciated.

Thanks,
Joe
-- 

Joe Dauncey

---------------------------------------------------------------------------

---------------------------------------------------------------------------




---------------------------------------------------------------------------

---------------------------------------------------------------------------