Re: [ISN] Linux snares security tool

From: InfoSec News (isnat_private)
Date: Fri Nov 09 2001 - 00:57:46 PST

  • Next message: InfoSec News: "[ISN] Computer worm slows federal court system"

    Forwarded from: security curmudgeon <jerichoat_private>
    cc: nicole.bellamyat_private, errata submission <errataat_private>
    > By Nicole Bellamy
    > ZDNet Australia 
    > November 6, 2001 5:46 PM PT
    > InterSect Alliance says it has developed the first integrated security
    > auditing and event logging subsystem for the open source Linux operating
    > system, beating much larger organizations to the punch. 
    Unless there is more to it, this claim is completely wrong.
    Hell, one could argue that "syslog" matches this description since it
    will log audit related events.
    > According to Leigh Purdie, director and principal security
    > consultant, this is the first release of code for a host-based
    > intrusion detection system, although there have been inroads made
    > into the development of source code to address network-based
    > intrusion detection.
    Oh, so now its an IDS for Linux, and the first?
    So i guess LIDS ( doesn't count?
    And of course Marty over at Snort must be horribly disappointed by
    this revelation. (
    And damn, the folks from Tripwire must be sawing at their wrists too.
    Tripwire was opensource and running on Linux when.. 1992 or 1993?
    Side note:
    I have been told that the cluebag journalist Nicole Bellamy actually
    had the nerve to say that her "experts" told her this load of shit,
    despite this whole article reading like a press release. If true, her
    experts are more in the field of snorting drugs it seems.
    More amusing:
    Google for "intrusion detection system linux" and the first two hits
    are LIDS and Snort.
    > The two systems differ in that while a network-based intrusion
    > detection tool enables the user to determine when an intrusion is
    > being attempted, the host-based system allows the user to identify
    > when an intrusion has been successful.
    Ok so we make the qualifiation of NIDS vs HIDS here, and that explains
    Tripwire how?
    > The Snare auditing subsystem is designed to "enhance an
    > organizations ability to detect suspicious activity by monitoring
    > system and user actions", as stated in its release report.
    This is old news in the IDS field. Also old news in the Linux IDS
    > Snare fills Linux security void
    > The lack of integrated security features--perceived or actual--has
    > long been a barrier to widespread Linux adoption.
    So a ZDNet article mentioning YALBI (Yet Another Linux Based IDS) is
    going to shatter that perception? Something tells me that if it were
    really that easy, it would have been done by now.,14179,2821245,00.html
    October 30, 2001 
      "Three useful intrusion detection tools come with the OLS 3.1 package. 
      Tripwire lets you take a snapshot of a system's critical software
      executables and configuration files and later compare it with a snapshot
      of the current running system. The PortSentry module automatically
      monitors for port scans and unauthorized access attempts. And LogCheck
      digests large system log files and points out log entries that may
      indicate that a system has been compromised."
    Oh I know, that was only 7 days before this article and you may not
    have known about it yadda yadda /excuse etc.,14179,2453339,00.html
    February 29, 2000 
      Security mavens have long agreed that open-source security is the best
      security. It's a pity that their bosses usually disagree. Until now,
      that is. TripWire Inc., long a free-software proponent, has decided to
      cannonball into the open-source waters.
    Now, did we forget to search ZDNet for articles on the very same thing
    you are writing about now? Please, lets remember Journalism 101 here.
    > According to an InterSect Alliance report, "the lack of host-based
    > intrusion detection in the form of an auditing system, has been cited
    > in the past by organizations as a significant contributor to the
    > decision to choose alternative operating systems over Linux in
    > operational roles."
    What organizations? Where are these quotes?
    > While working on similar tools for other operating systems, such as
    > Sun's Solaris and Microsoft's Windows NT--all of which contained an
    > audit collection subsystem--the company realized the lack of this
    > feature in Linux, and "thought something was missing," according to
    > Purdie.
    Err, perhaps I am just out of the loop here, but what does Sun/Solaris
    offer natively that Linux doesn't in the way of "audit collection
    subsystems"? I haven't kept up with Solaris after 2.6 really but I
    just don't see it offering that much more.
    > While eight months seems minimal in software development terms, Purdie
    > maintains that Snare is actually the culmination of ten year's work
    > into the host-based intrusion detection system, added to a combined
    > total of more than twenty year's experience in security for the
    > directors.
    So its based on ten years of work, yet is being released some *9*
    years after Tripwire was? Why aren't "FRAUD" bells going off at this
    Gah. It is clear to me that this is a total fluff piece that could
    pass for a press release with a few minor changes. No background was
    done, no experts consulted. In fact, had Nicole Bellamy talked to
    other *respected* ZDNet journalists who often write about security
    past or present (Rob Lemos, Alexander Wellen, Michael Fitzgerald), she
    would have realized what a joke this was, and what kind of complete
    bullshit this company was spewing.
    Chalk another up for Errata (
    Oh, any insipid legal threats from Nicole Bellamy will be published
    along with this errata. Since that seems to be her trend based on
    talking to others. (For the ISN crowd: she has threatened to sick her
    pet lawyers on someone who works in the open source community for
    telling her this article was full of shit.)
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Nov 09 2001 - 02:58:04 PST