Penetration Testing mailing list archives

Re: [PEN-TEST] Audit package

From: Talisker <Talisker () NETWORKINTRUSION CO UK>
Date: Thu, 28 Sep 2000 21:12:10 +0100

H Carvey hit the nail on the head with this

However, keep in mind...regardless of what system
you're on, no sort or parsing tool will work if the
information isn't being logged.  For much of what
you're looking for on NT, you need to pay attention not
only to the EventLog settings, but ACLs, as well.


Great point, unfortunately one that can't be repeated enough.
Another tool to throw into the equation is KSE (formerly) CMDS that will
check logs from Solaris, NT, Cisco etc and look for attack signatures.
Moreover, and probably what you were after, you can tag certain users and
follow their activities What (IMHO) sets KSE above some of the other HIDS is
that it passes all logs to the manager and stores them on an SQL database,
any info you want can be gleaned from a simple query.

There is a plethora of commercial HIDS it's worth spending a little time to
find out which one best meets your requirements
Abacus Project
Centrax
EMERALD eXpert-BSM
E-Trust Audit
KSM
Precis   Appshield
CMDS Entercept
Intruder Alert
Nocol
RealSecure Agent  auditGUARD
Dragon Squire
Entercept Web SE
Kane Secure Enterprise KSE
praesidium
Swatch

Theres a description on each and links to the vendor sites on my site below
http://www.networkintrusion.co.uk/ The IDS List
                    '''
                 (0 0)
  ----oOO----(_)----------
  | The geek shall        |
  |  Inherit the earth     |
  -----------------oOO----
               |__|__|
                  || ||
              ooO Ooo


The opinions contained within this transmission are entirely my own, and do
not necessarily reflect those of my employer.





----- Original Message -----
From: "H Carvey" <keydet89 () YAHOO COM>
To: <PEN-TEST () SECURITYFOCUS COM>
Sent: Wednesday, September 27, 2000 6:14 PM
Subject: Re: [PEN-TEST] Audit package

I'd like to throw a couple of other tools into the mix,
specifically regarding NT...

NTObjectives  has NTLast, which might also be
useful.

Of course, using Perl is a great answer.  I've written
several scripts that pull the EventLogs from NT
systems...all that needs to be done is the proper
sorting/parsing.

However, keep in mind...regardless of what system
you're on, no sort or parsing tool will work if the
information isn't being logged.  For much of what
you're looking for on NT, you need to pay attention not
only to the EventLog settings, but ACLs, as well.

Current thread:

[PEN-TEST] Audit package Michael Graham (Sep 27)
- Re: [PEN-TEST] Audit package Frank Heyne (Sep 27)
- Re: [PEN-TEST] Audit package Peter Rietveld (Sep 27)
- <Possible follow-ups>
- Re: [PEN-TEST] Audit package H Carvey (Sep 27)
  - Re: [PEN-TEST] Audit package Talisker (Sep 28)
    - Re: [PEN-TEST] Audit package Hiromi Yanaoka (Sep 29)
    - Re: [PEN-TEST] Audit package Talisker (Sep 29)
- Re: [PEN-TEST] Audit package Richard Hutchinson (Sep 28)
- Re: [PEN-TEST] Audit package Jensen, Greg (Sep 28)
- Re: [PEN-TEST] Audit package H Carvey (Sep 29)
  - Re: [PEN-TEST] Audit package Mark Teicher (Sep 29)
  - Re: [PEN-TEST] Audit package Talisker (Sep 30)