Penetration Testing mailing list archives
Re: [PEN-TEST] Audit package
From: Talisker <Talisker () NETWORKINTRUSION CO UK>
Date: Fri, 29 Sep 2000 19:36:13 +0100
Carv
CMDS uses an expert system to perform statistical profiling by user or IP. This allows thresholds for behavior to be set...so that over time, thresholds can be minimized, and only statistically significant events will cause alarms.
It does a little more than that, yes the profiling does seem to work. eg I had a report that user A triggered an alert and was out of profile, upon investigation I discovered that she had just been given administrator rights, I thought that was pretty cool, but the stat profiling is not it's strength, it applies attack signatures to the sys/event logs, that is what gives the good results. However the tool is not perfect This is a rough write up from a while ago ++++++++++++++++++++++++++ Computer Misuse Detection System (KSE) The Good the Ugly and the Bad Overview I have been evaluating this product extensively for the last few months, and I love it! CMDS is a host based IDS from Intrusion.com (formerly ODS). It collects event and syslogs from NT4.0, Solaris, Cisco routers, NetRanger, RealSecure and Checkpoint FW-1, they reckon to be able to collect log data from any source however I didn't try that. This data is not only for bog standard security events but also for attack signatures across multiple logs, these are then classed according to their severity and displayed. CMDS is highly configurable, the attack signatures can be written/altered within CLIPS, no real programming skills are required for this, I found "cut & plagerise" to be the best solution. IMHO one of the best features is it's recognition of events. eg if an application passes information to an event log that CMDS doesn't recognise, it passes it to the screen. WAIT, I know what you're thinking, masses of false positives. Fortunately CMDS stores them all on an MS SQL database, all new events are given a severity of 3, after you assess the event, if it's nothing to worry about reduce it to 2 ie below the threshold with a simple SQL query, however, if it is important eg your antivirus product has detected a virus, you can raise the severity. What this means is that CMDS misses nothing that you dont want it to. These new events can be combined into an attack signature if you wish. In those first few weeks though, whilst it's learning you do have your work cut out, approx 1 hour per day. It's easy to install, the basic product and agent installation takes just a few minutes. The product upgrades are a little rough and need some TLC to get them working. The manager/database installation has a few minor security niggles, ie you have to be logged on as Administrator (has anyone not renamed this account) and for the SQL to run it has to run on the system account, rather than a lower privileged user account. Connections from the agent to the manager are at ports above 14000, I would prefer to see this fixed to a few definate ports to make firewall configuration easier. Event logs are collected at the agent, compressed by a factor of 20 and sent to the manager at intervals configurable between 1 minute and 15. This can be extended to send say once a day if you wish. The downside of this is that the local log is not retained in an easily readable form on the host, this is going to be addresssed on a subsequent release. Alternatively you can may be able to make use of MS SQLs live html output feature whereby as the database receives events a web page is updated with the information. The system administrator of the concerned network can be given access to his data through a secured view. The agent cannot be installed on the manager and database. A security tool that cannot protect itself is inexcusable. There is no heartbeat to alert to the failure of the agent on the host. Again this is being looked at by Intrusion.
Current thread:
- Re: [PEN-TEST] Audit package, (continued)
- Re: [PEN-TEST] Audit package Frank Heyne (Sep 27)
- Re: [PEN-TEST] Audit package Peter Rietveld (Sep 27)
- Re: [PEN-TEST] Audit package H Carvey (Sep 27)
- Re: [PEN-TEST] Audit package Talisker (Sep 28)
- Re: [PEN-TEST] Audit package Hiromi Yanaoka (Sep 29)
- Re: [PEN-TEST] Audit package Talisker (Sep 29)
- Re: [PEN-TEST] Audit package Talisker (Sep 28)
- Re: [PEN-TEST] Audit package Richard Hutchinson (Sep 28)
- Re: [PEN-TEST] Audit package Jensen, Greg (Sep 28)
- Re: [PEN-TEST] Audit package H Carvey (Sep 29)
- Re: [PEN-TEST] Audit package Mark Teicher (Sep 29)
- Re: [PEN-TEST] Audit package Talisker (Sep 30)