Re: [logs] Host IDS for Windows

From: Alexandre Dulaunoy (alexat_private)
Date: Tue Jan 08 2002 - 00:27:08 PST

Next message: Victor Fernandes: "Re: [logs] Host IDS for Windows"

Previous message: Tina Bird: "[logs] Host IDS for Windows"
In reply to: Tina Bird: "[logs] Host IDS for Windows"
Next in thread: Victor Fernandes: "Re: [logs] Host IDS for Windows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 7 Jan 2002, Tina Bird wrote:

> Hi all -- People looking for a pure Windows EventLog
> monitoring system may want to take a look at
>
> http://www.gfi.com
>
> Their LANguard Security EventLog Monitor can watch
> multiple Windows servers and workstations from a central
> console, and send SMTP alerts for a variety of security
> events (failed logons, admin access after hours, etc).
>
> I've never used it.  Anyone out there taken a look at
> it?  Opinions much appreciated.  I am not affiliated with
> GFI or any of its resellers.
>

I have some comments on this product :

* As specified on their web site
 (http://www.gfi.com/lanselm/wp_why_lanselm.htm), you don't have to
  install special software on the monitored windows host. The collector
  agent use "native WIN32 API" that means they use RPC request to get
  events from each windows. I don't think is a great idea because, in the
  majority of case, the windows are hardened because located in a
  untrusted zone (like DMZ ...).

* Another issue, they seem to trust the WIN32 API from the host, they are
  collecting data. If the host is compromised, can we trust the logging ?
  The logging seems to not be sign so that will be easy to generate false
  logging from a compromised host. (it's also possible with signed logging
  but it's more difficult 8-) checkout PEO & VCR)

* Another issue, (from my point of view) it's only taking care of windows
  events.  Correlation is really important in security monitoring, I don't
  think looking only in one type of logging is really useful.

Yes, the product may be right for a small (trusted) network without other
Operating System and specific application on WIN32.

But do you have a trusted network when you have untrusted Windows on it ?

Alx

ps : it's just my opinion.

-- 
Alexandre Dulaunoy			adulauat_private
http://www.foo.be/
http://www.conostix.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

Next message: Victor Fernandes: "Re: [logs] Host IDS for Windows"
Previous message: Tina Bird: "[logs] Host IDS for Windows"
In reply to: Tina Bird: "[logs] Host IDS for Windows"
Next in thread: Victor Fernandes: "Re: [logs] Host IDS for Windows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jan 08 2002 - 09:35:44 PST