Hello. I have already invoked such a scenario in some of my previous IDS
work/articles. What I had in mind is something like encrypting the whole
network traffic, to prevent sniffing from intruders (let's say wall-to-wall
SSH, for example). In such an environment, if you still wanted to keep
some NIDS capabilities, you'd actually have to install NIDS software (Snort
comes to mind) on every host on the network, in non-promiscuous mode (since
sniffing the rest of the network traffic is useless, since it is encrypted).
I had the opportunity to discuss this possibility with Allan Paller of SANS
and with Eugene Schultz last year during the Seguridad en Computo
conference in Mexico, and they agreed with me that theoritically and
technically, this should be working. However, in practice, they oversaw
the chance that the volume of logs to analyze would simply be too enormous
to be analyzed, even with the aid of specialized software.
The log management problematic raised in my mind long before I was playing
with such ideas as host-based NIDS, and I think that these problems can be
overridden with real-time and distributed log analysis, coupled with the
rest of the security measures present on the network. That's one of the
reasons that lead me to develop LogAgent, LogIDS and LogMonitor, a set of
agent and consoles for monitoring, analysing and displaying logs. I also
made a bunch of other HIDS tools. They can be downloaded at
http://securit.iquebec.com/ (the website may be slow, i'm working on
improving these conditions soon).
I don't know if this is what you had in mind, but I'd like to hear what
other people may think about this topic.
Adam Richard, aka Floydman
SecurIT Informatique Inc.
At 03:51 AM 25/02/2005, peng xuena wrote:
hi, all:
Recently, i am interested in host-based IDS and want to design a
host-based network traffic monitoring system which monitoring the network
traffic of local host. I wonder if there is already any such system. Can
all of you give me some suggestions on this?
Thanks a lot!
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
_____________________________________________________________________
Envie de discuter gratuitement avec vos amis ?
Téléchargez Yahoo! Messenger http://yahoo.ifrance.com
--
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 266.5.1 - Release Date: 27/02/2005
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 266.5.1 - Release Date: 27/02/2005
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
