Penetration Testing mailing list archives
Re: [PEN-TEST] Audit package
From: Talisker <Talisker () NETWORKINTRUSION CO UK>
Date: Fri, 29 Sep 2000 23:10:17 +0100
Hiromi I saw your mail on the pen-test list but I'm not absolutely sure what it is you need. A Sun Basic Security Module (BSM) page is at http://docs.sun.com/ab2/coll.47.4/SHIELD/@Ab2PageView/7906?Ab2Lang=C&Ab2Enc= iso-8859-1 there is a guide to audit trail analysis with tools at http://docs.sun.com/ab2/coll.47.4/SHIELD/@Ab2PageView/idmatch(CH3TRAIL-18308 )#CH3TRAIL-18308?Ab2Lang=C&Ab2Enc=iso-8859-1 The USAF sponsored Linux equivalent is at http://www.netsq.com/Research/LinuxAudit/index.php3 there are loads of links there Have you seen the Linux BSM site http://linuxbsm.sourceforge.net/ if you need more info let me know Andy http://www.networkintrusion.co.uk/ The IDS List ''' (0 0) ----oOO----(_)---------- | The geek shall | | Inherit the earth | -----------------oOO---- |__|__| || || ooO Ooo The opinions contained within this transmission are entirely my own, and do not necessarily reflect those of my employer. ----- Original Message ----- From: "Hiromi Yanaoka" <yanaoka () LAC CO JP> To: <PEN-TEST () SECURITYFOCUS COM> Sent: Friday, September 29, 2000 5:58 PM Subject: Re: [PEN-TEST] Audit package
"Re: [PEN-TEST] Audit package" "Talisker <Talisker () NETWORKINTRUSION CO UK>" wrote:Theres a description on each and links to the vendor sites on my site
below
http://www.networkintrusion.co.uk/ The IDS ListI have checked this well-summarized page of IDS List. My search focus for IDS is which HIDS applies BSM on Solaris. I understand that BSM is a powerful way of detecting and tracing intrusions on the host-base. Yet, it is not widely known for lack of good documentation. You can also find a list of HIDS from: http://www.securityfocus.com/templates/tools_category.html? category=17&platform=&path=[%20intrusion%20detection%20][%20host%20] In addition, there are some good papers such as http://www.securityfocus.com/focus/ids/articles/idsbsm.html http://www.ce.chalmers.se/staff/sax/unix-sec-log.pdf and others... Since BSM keeps logs at a very low level(system call level) and provides details on what actually an intruder did, BSM is a nice tool for forensic cases as well. Yet, this means also you end up with huge logs which are incomprehensible and unreasonable to trace with human beings' eyes. Therefore, there is no use unless there is a system which interprets to the human readable as the paper above points out you need some kind of scripts or something to make BSM more useful. Although BSM includes some utilities their features are limited. If you want to *analyze* logs, it needs something else. So, my question leads to which ones are the one that are making BSM more useful. Please forgive me if my question overlaps some of the threads from IDS ML and if this is unrelated for this ML.From what I have found out so far, those using BSM are as follows(from Talisker's post):EMERALD eXpert-BSM RealSecure Agent auditGUARD#Since my due for the search is coming up, I have decided to #throw a question here. Thanx. Ciao --Hiromi
Current thread:
- [PEN-TEST] Audit package Michael Graham (Sep 27)
- Re: [PEN-TEST] Audit package Frank Heyne (Sep 27)
- Re: [PEN-TEST] Audit package Peter Rietveld (Sep 27)
- <Possible follow-ups>
- Re: [PEN-TEST] Audit package H Carvey (Sep 27)
- Re: [PEN-TEST] Audit package Talisker (Sep 28)
- Re: [PEN-TEST] Audit package Hiromi Yanaoka (Sep 29)
- Re: [PEN-TEST] Audit package Talisker (Sep 29)
- Re: [PEN-TEST] Audit package Talisker (Sep 28)
- Re: [PEN-TEST] Audit package Richard Hutchinson (Sep 28)
- Re: [PEN-TEST] Audit package Jensen, Greg (Sep 28)
- Re: [PEN-TEST] Audit package H Carvey (Sep 29)
- Re: [PEN-TEST] Audit package Mark Teicher (Sep 29)
- Re: [PEN-TEST] Audit package Talisker (Sep 30)