[ISN] Application and Host IDS Tools

From: InfoSec News (alerts@private)
Date: Thu Mar 22 2007 - 00:02:26 PST

Forwarded with permission from: Security UPDATE <Security_UPDATE (at) list.windowsitpro.com>


Extend your MSCS cluster offsite

Free White Paper: Address the Insider Threat 

Automatically fix links when you move files!

=== CONTENTS ===================================================

IN FOCUS: Application and Host IDS Tools 

   - Windows 2003 SP2 Ready for Download
   - EldoS Provides Raw Disk Access for Vista and XP
   - New Coating System Contains Wireless Signals
   - Recent Security Vulnerabilities

   - Security Matters Blog: Helios Lite--Rootkit Detector
   - FAQ: Vista BitLocker Safety
   - From the Forum: "Audit Privilege Use" Events
   - Tell Us About the Products You Love!
   - Share Your Security Tips

   - Encrypt Sensitive Files Before They Leave the Office




=== SPONSOR: CA XOsoft =========================================

Extend your MSCS cluster offsite
   MSCS clustering can be a good option for local high availability - 
but it doesn't provide complete protection from unplanned downtime. 
Download this free white paper and learn how extending your MSCS 
cluster offsite with a high availability solution with CDP technology 
can protect from data corruption, including damage done by viruses or 
human error. 

=== IN FOCUS: Application and Host IDS Tools ===================
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Many of you probably have some sort of intrusion detection system (IDS) 
in use on your network. Most tools of this sort operate either at the 
network border to monitor incoming traffic or on the internal network 
to monitor internal traffic. 

Recently I learned about two IDS tools that are a little bit different 
from a typical IDS. One runs inside an application, and the other is a 
host IDS that runs on servers or workstations. 

The first tool is called Firekeeper. It's an extension for Firefox that 
works similarly to Snort in that it uses a configurable set of rules to 
detect suspicious activity. Firekeeper is a relatively new tool and 
doesn't have the huge set of rules available that Snort does. 
Nevertheless, the base set of rules is a good starting point, and you 
can write your own rules with relative ease, especially if you're 
familiar with Snort. 

Because Firekeeper runs inside Firefox, naturally it's meant to detect 
intrusion attempts that would originate from Web content. The base set 
of rules detects suspicious JavaScript activity; abnormal behavior of 
Real Networks' RealPlayer, Microsoft Windows Media Player, and 
Nullsoft's Winamp controls; attempts to access email clients via file 
extension types; and more. Another benefit is that Firekeeper can 
inspect Secure Sockets Layer (SSL) traffic after it's decrypted by the 
browser, which a border IDS system might not be able to do. 

Overall, Firekeeper is a pretty good idea. If I understand correctly, 
the project was started by Jan Wrobel as part of Google's Summer of 
Code 2006. Since that time, it's come along nicely. You can check it 
out at the mozdev.org Web site (click the link below), where a link to 
a mailing list is also available. 

The second tool I learned about is OSSEC Host IDS (HIDS). OSSEC HIDS 
has two basic parts: the central server and the host monitors. The main 
server collects information from the host monitors, and the host 
monitors perform a variety of tasks. They can detect known rootkits and 
maintain file system integrity by keeping tabs on important system 

Another useful aspect is that OSSEC HIDS can monitor a variety of 
different logs, such as those generated by Apache, Squid, Snort, nmap, 
Windows, Microsoft IIS, Cisco VPN concentrators, and Cisco PIX 
firewalls. As you might expect, it can also deliver alerts to 
administrators via email messages or log entries, and it can actively 
respond to detected events based on your configuration settings. 

I installed OSSEC HIDS on a few systems and found that it's very easy 
to configure. Setting up the main server took about 20 minutes 
including reading the manual as I went along. Setting up the tool on 
the hosts was easier, but it did take a bit longer because the host 
settings vary depending on what's being monitored on the hosts. 

OSSEC HIDS is an open source tool and has been tested on OpenBSD, 
FreeBSD, Mac OS X, Slackware Linux, Debian GNU/Linux, SUSE Linux, 
Ubuntu, Red Hat Enterprise Linux, Fedora Core, Solaris, and AIX, as 
well as Windows XP and Windows 2000. You can check it out at the OSSEC 
Web site, where you'll find the manual along with other resources such 
as a wiki and an associated mailing list. 


Do you work in a mixed environment? Visit TechX World (first URL below) 
for information about Windows interoperability. The TechX World 
community gives you access to interoperability articles that aren't 
available anywhere else; news, tips, and tricks from interop experts 
and other users; and forums and blog posts by other community members. 
Join the TechX World community and sign up for the TechX 
Interoperability UPDATE email newsletter (second URL below):

=== SPONSOR: NetIQ =============================================

Free White Paper: Address the Insider Threat 
   Learn how to develop a comprehensive management system that 
virtually eliminates the risk of an insider threat. Co-authored by 
NetIQ and Dr. Eric Cole, this informative white paper identifies the 
key business processes that must be secured and ready to build a 
solution to contain the insider threat.

=== SECURITY NEWS AND FEATURES =================================

Windows 2003 SP2 Ready for Download
   Windows Server 2003 Service Pack 2 adds new features and tools, 
including WPA2 and improvements to IPsec. Be absolutely certain that 
you review the installation requirements and instructions. 

EldoS Provides Raw Disk Access for Vista and XP
   Security component maker EldoS announced the availability of 
RawDisk, a raw disk access driver for Windows Vista and Windows XP 
systems. Fortunately, the company won't make the product publicly 

New Coating System Contains Wireless Signals
   EM-SEC Technologies announced the successful testing of its new 
liquid coating product designed to contain Wi-Fi signals. The EM-SEC 
Coating System also prevents leakage of signals from several other 
types of electronic devices.

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at

=== SPONSOR: LinkTek ===========================================

Automatically fix links when you move files!
   Patented LinkFixerPlus is the first application that automatically 
fixes broken links in Excel, Word, Access, PowerPoint, Acrobat, 
InDesign, PageMaker, AutoCAD and other files when performing data 
migrations due to: server consolidations, server name changes, path 
name changes or folder reorganizations! Detailed broken link reporting 
   Download the FREE trial version NOW at 

=== GIVE AND TAKE ==============================================

SECURITY MATTERS BLOG: Helios Lite--Rootkit Detector
   by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=4ECF2:57B62BBB09A69279B3BC89B410B48180

Can you ever have enough rootkit detectors? MIEL-Labs just released 
Helios Lite. Read more about it and get a link to download a copy in 
this blog article on our Web site! 

FAQ: Vista BitLocker Safety
   by John Savill, http://list.windowsitpro.com/t?ctl=4ECEF:57B62BBB09A69279B3BC89B410B48180 

Q: Does Windows Vista BitLocker Drive Encryption have a security 

Find the answer at

FROM THE FORUM: "Audit Privilege Use" Events 
   A forum participant wonders what events will be created if he selects 
Audit Privilege Use--Failures in the audit policy. All he can find are the 
three IDs that appear for successes: 576, 578, and 579. He's trying to 
determine if it's worth having the failures on in the audit policy. To join the 
discussion, go to

   What products are you using that save you time or make your workload 
a little lighter? What hot product discoveries have you made that other 
IT pros need to know about? Let the world know about your experiences 
in Windows IT Pro's monthly What's Hot department. If we publish your 
story in What's Hot, we'll send you a Best Buy gift card! Send 
information about your favorite product and how it has helped you to 

   Share your security-related tips, comments, or problems and 
solutions in Security Pro VIP's Reader to Reader column. Email your 
contributions to r2r@private If we print your submission, 
you'll get $100. We edit submissions for style, grammar, and length.

=== PRODUCTS ===================================================
   by Renee Munshi, products@private

Encrypt Sensitive Files Before They Leave the Office
   Spotted Dingo announced GuardTheft, an Internet software application 
that lets users encrypt sensitive documents before taking them out of 
the office on removable media or before storing them on a server for 
transmission. Users can then use GuardTheft's Internet "black box" to 
decrypt the files when the users get to their destination and want to 
work with the files. GuardTheft can encrypt AutoCAD, ArcInfo, DNG, JPG, 
GIF, BMP, TIFF, MDI, PDF, DOC, TXT, PPT, and XLS files. The software 
uses the RC2 (128-bit) encryption algorithm and lets users make their 
key set unique by modifying the key set's 16 keys. A one-week free 
trial of GuardTheft is available. For more information, go to

=== RESOURCES AND EVENTS =======================================
   For more security-related resources, visit

Deploy Exchange Server 2007 Without a Hitch! 
   This one-day technical training event teaches you how to preempt 
pitfalls and avoid corrupting your infrastructure. Learn how to 
effectively install, manage, and secure Exchange Server 2007 in a 64-
bit environment. You'll also get a peek into the integration of 
Outlook, SharePoint Server 2007, and Exchange Server 2007. Register 

Get Ready for the Windows Server Longhorn Roadshow! 
   Seize control of your Windows infrastructure with Microsoft's 
biggest server release since Windows 2003. Get a live, under-the-hood 
look at Longhorn virtualization, deployment, Web services, and 
breakthroughs in core reliability. This one-day event is filled with 
demonstrations and in-depth discussions designed for IT pros who want a 
deep understanding of Windows Server Longhorn.   

SQL Server Reporting Services is an exciting way for organizations to 
gain access and insight into their important business data. Get an 
overview of how to increase your production server's performance by 
offloading Reporting Services to a secondary server. Download your free 
copy today! 

=== FEATURED WHITE PAPER =======================================

Learn the 7 critical email problems to watch for and how to prevent 
them. Find out how to better manage your email environment, including 
disaster recovery, compliance, data storage, security, and wireless 
devices. Download this free white paper today. 

=== ANNOUNCEMENTS ==============================================

Introducing a Unique Security Resource 
   Security Pro VIP is an online information center that delivers new 
articles every week on topics such as perimeter security, 
authentication, and system patches. Subscribers also receive tips, 
cautionary advice, direct access to our editors, and a host of other 
benefits! Order now at an exclusive charter rate and save up to $50! 

Grab Your Share of the Spotlight!  
   Nominate yourself or a peer to become IT Pro of the Month. This is 
your chance to get the recognition you deserve! Winners will receive 
over $600 in IT resources and be featured in Windows IT Pro. It's easy 
to enter--we're accepting May nominations now, but only for a limited 
time! Submit your nomination today: 


Security UDPATE is brought to you by the Windows IT Pro Web site's 
Security page (first URL below) and Security Pro VIP (second URL 

Subscribe to Security UPDATE at

Be sure to add Security_UPDATE@private 
to your antispam software's list of allowed senders.

To contact us: 
   About Security UPDATE content -- letters@private
   About technical questions -- http://list.windowsitpro.com/t?ctl=4ECF6:57B62BBB09A69279B3BC89B410B48180
   About your product news -- products@private
   About your subscription -- windowsitproupdate@private
   About sponsoring Security UPDATE -- salesopps@private

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.

Visit the InfoSec News Security Bookstore

This archive was generated by hypermail 2.1.3 : Thu Mar 22 2007 - 00:07:05 PST