Re: [logs] Host IDS for Windows

From: Alexandre Dulaunoy (alexat_private)
Date: Tue Jan 08 2002 - 00:27:08 PST

  • Next message: Victor Fernandes: "Re: [logs] Host IDS for Windows"

    On Mon, 7 Jan 2002, Tina Bird wrote:
    
    > Hi all -- People looking for a pure Windows EventLog
    > monitoring system may want to take a look at
    >
    > http://www.gfi.com
    >
    > Their LANguard Security EventLog Monitor can watch
    > multiple Windows servers and workstations from a central
    > console, and send SMTP alerts for a variety of security
    > events (failed logons, admin access after hours, etc).
    >
    > I've never used it.  Anyone out there taken a look at
    > it?  Opinions much appreciated.  I am not affiliated with
    > GFI or any of its resellers.
    >
    
    I have some comments on this product :
    
    * As specified on their web site
     (http://www.gfi.com/lanselm/wp_why_lanselm.htm), you don't have to
      install special software on the monitored windows host. The collector
      agent use "native WIN32 API" that means they use RPC request to get
      events from each windows. I don't think is a great idea because, in the
      majority of case, the windows are hardened because located in a
      untrusted zone (like DMZ ...).
    
    * Another issue, they seem to trust the WIN32 API from the host, they are
      collecting data. If the host is compromised, can we trust the logging ?
      The logging seems to not be sign so that will be easy to generate false
      logging from a compromised host. (it's also possible with signed logging
      but it's more difficult 8-) checkout PEO & VCR)
    
    * Another issue, (from my point of view) it's only taking care of windows
      events.  Correlation is really important in security monitoring, I don't
      think looking only in one type of logging is really useful.
    
    Yes, the product may be right for a small (trusted) network without other
    Operating System and specific application on WIN32.
    
    But do you have a trusted network when you have untrusted Windows on it ?
    
    Alx
    
    ps : it's just my opinion.
    
    
    
    -- 
    Alexandre Dulaunoy			adulauat_private
    http://www.foo.be/
    http://www.conostix.com/
    
    
    
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private
    



    This archive was generated by hypermail 2b30 : Tue Jan 08 2002 - 09:35:44 PST