Re: [ISN] Linux snares security tool

From: InfoSec News (isnat_private)
Date: Mon Nov 12 2001 - 01:42:06 PST

  • Next message: InfoSec News: "[ISN] Security concerns top Comdex agenda"

    Forwarded from: Eric Lee Green <ericat_private>
    Cc: jericoat_private, nicole.bellamyat_private
    On Friday 09 November 2001 01:57 am, InfoSec News wrote:
    > Forwarded from: security curmudgeon <jerichoat_private>
    > cc: nicole.bellamyat_private, errata submission <errataat_private>
    > >,4586,2822782,00.html
    > >
    > > By Nicole Bellamy
    > > ZDNet Australia
    [press release masquerading as news] 
    > > November 6, 2001 5:46 PM PT
    > >
    > > InterSect Alliance says it has developed the first integrated security
    > > auditing and event logging subsystem for the open source Linux operating
    > > system, beating much larger organizations to the punch.
    > Oh, so now its an IDS for Linux, and the first?
    > So i guess LIDS ( doesn't count?
    > And of course Marty over at Snort must be horribly disappointed by
    > this revelation. (
    > And damn, the folks from Tripwire must be sawing at their wrists too.
    > Tripwire was opensource and running on Linux when.. 1992 or 1993?
    Sigh. Jericho, I must thank you for writing the rebuttal that I felt
    like writing when I first saw this press release masquerading as news.
    I suppressed my urge to respond because if I responded to every
    clueless reporter out there I would have no time to do my real job
    (writing clustering software at the moment, though I have done
    security engineering in the past), but that was before I read Ms.
    Bellamy's extremely unprofessional response to a previous criticism.
    I have not in any way done any in-depth study of SNARE, since I am not
    its target market, but from reading a brief description, SNARE appears
    to be a useful tool, in that it apparently adds a user-friendly
    interface to already-existing intrusion detection tools such as SNORT
    and Tripwire (or perhaps their own re-implementations of those
    already-existing tools).  However, it adds no new functionality to the
    Linux security world. Those of us who have been involved in Linux and
    Linux security for some time(my experience in the Linux world dates to
    1995, and my first use of Unix was in 1985) will most probably not be
    in the target market for SNARE. We're already running arpwatch, snort,
    logwatch, tripwire, portwatch, Big Brother, etc. as well as
    (sometimes) our own home-brew software for intrusion detection. Some
    of us are even running the BSD accounting tools to look for suspicious
    commands as they are typed into the system, and EMAIL said reports to
    an outside address.
    An interesting and informative article could have been written
    starting with the above premise (i.e. that SNARE brings security out
    of the realm of security geeks into the realm of easy use by mere
    mortals). Unfortunately, such an article was not written. Frankly, if
    Ms. Bellamy consulted any "experts", they must have been a couple of
    pimply-faced kids at her local computer club, or marketroids at local
    computer "research" firms, rather than real Linux security experts
    (that is, people who have actually secured Linux systems).
    > > The two systems differ in that while a network-based intrusion
    > > detection tool enables the user to determine when an intrusion is
    > > being attempted, the host-based system allows the user to identify
    > > when an intrusion has been successful.
    > Ok so we make the qualifiation of NIDS vs HIDS here, and that explains
    > Tripwire how?
    (snort!) Not to mention "logwatch" (which watches the log file for
    suspicious entries and reports them), or the BSD accounting tools,
    which can be programmed to report suspicious commands being typed in
    by users with a few lines of shell scripting and gratuitous grep
    > > The Snare auditing subsystem is designed to "enhance an
    > > organizations ability to detect suspicious activity by monitoring
    > > system and user actions", as stated in its release report.
    > /yawn
    > This is old news in the IDS field. Also old news in the Linux IDS
    > field.
    Old news in the Unix IDS world, for that matter. My system
    administrator at college used many of these same mechanisms -- in
    1985! (Particularly the BSD process accounting tools, which were used
    to detect student's attempts to abuse the system... there were some
    rather surprised students who had their passwords locked out by the
    admins after attempting to bypass system security).
    > > While working on similar tools for other operating systems, such as
    > > Sun's Solaris and Microsoft's Windows NT--all of which contained an
    > > audit collection subsystem--the company realized the lack of this
    > > feature in Linux, and "thought something was missing," according to
    > > Purdie.
    > Err, perhaps I am just out of the loop here, but what does Sun/Solaris
    > offer natively that Linux doesn't in the way of "audit collection
    > subsystems"? I haven't kept up with Solaris after 2.6 really but I
    > just don't see it offering that much more.
    Basically, Solaris has a nice user interface to the underlying Sys V.4
    tools that provide the same basic functionality as the BSD process
    accounting tools used under Linux. You can produce pretty reports and
    graphs and such, if I recall correctly (it's been six months or so
    since I last touched a Solaris system). I believe they may even
    publish some of these via SNMP so that network monitoring tools such
    as Big Brother or CA Unicenter can monitor them. In any event, it is
    clear that we're talking about a user interface difference, rather
    than a functional difference. An article could be written about the
    importance of user interface and how it affects perceptions of
    operating systems, but such an article was not written.
    > Gah. It is clear to me that this is a total fluff piece that could
    > pass for a press release with a few minor changes. No background was
    > done, no experts consulted. 
    It appears that her "expert" was a local "research" outfit (basically,
    the Aussie equivalent of IDG), rather than someone who has actually
    secured Linux systems. It appears that she did not do a basic web
    search to look for other Linux security systems and attempt to contact
    any of those other authors "on background" to verify that her tame
    talking mouthpiece at SNARE was spewing real info rather than
    marketing BS. It appears that she never went to and clicked on the links there about
    other security products for Linux. Frankly, I was taught better in
    high school journalism class.
    > Oh, any insipid legal threats from Nicole Bellamy will be published
    > along with this errata. Since that seems to be her trend based on
    > talking to others. (For the ISN crowd: she has threatened to sick her
    > pet lawyers on someone who works in the open source community for
    > telling her this article was full of shit.)
    That sort of behavior is EXTREMELY unprofessional. You do not threaten
    to sue potential sources for future stories. And if someone offers you
    information, you accept it with a polite "thank you for your
    comments", even if the offer is in a rather, err, rude, manner.
    Frankly, I knew better than that when I was a 19 year old kid writing
    a computer club newsletter column.
    I've had my own run-ins with journalists in the past when I felt I was
    misquoted or that they misconstrued something about Linux, but at
    worst we agreed to disagree. I cannot imagine any situation where
    threatening to sue a critic is productive behavior for a journalist.
    After all, journalists have resort to the ultimate court: the court of
    public opinion, in which they have the capability of "stacking the
    deck" so to speak via the power of the pen.
    Do note, however, that Australia has very anti-free-speech libel laws.  
    Basically, if you say anything critical of a person in Australia, you
    must be able to prove what you say beyond reasonable doubt. This is of
    course the total opposite of the United States, where the person suing
    for libel has the burden of proof, thus allowing greater freedom of
    speech. However, I have no intention to go anywhere near Australia
    (and in fact I suspect they would deny me a visa, due to my public
    criticisms of Aussie PM John Howard's bigotry and poor treatment of
    non-whites), so I don't care what Aussie law says.
    Eric Lee Green          GnuPG public key at
               mailto:ericat_private  Web:
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Mon Nov 12 2001 - 09:02:34 PST