[logs] the log management/monitoring space (fwd)

From: Tina Bird (tbird@precision-guesswork.com)
Date: Thu Dec 12 2002 - 22:32:19 PST

  • Next message: Darren Reed: "Re: [logs] why log transport is still important"

    I got started on a review of the commercial space back in September --
    clearly I'm not finished, but let's get this on the commercial tools bit
    of the web site and go from there...
    
    tbird
    
    "Our duty, as living things, is to be sure that pain is not our whole
    story, for we can choose to be otherwise....we can choose to dance."
                                 -- from "Six Moon Dance," by Sheri Tepper
    
    http://www.shmoo.com/~tbird
    Log Analysis http://www.loganalysis.org
    VPN http://vpn.shmoo.com
    
    ---------- Forwarded message ----------
    Date: Wed, 11 Sep 2002 01:00:06 +0000 (GMT)
    From: Tina Bird <tbird@precision-guesswork.com>
    To: Tina Bird <tbird@precision-guesswork.com>,
         Rodney Thayer <rodneyat_private>, Fearghas McKay <fm@st-kilda.org>
    Subject: the log management/monitoring space
    
    List compiled by Toby Kohlenberg, a buddy of mine at Intel, with editorial
    comments by yours truly...However I'm bored now and will work on this some
    more tomorrow.  I think Toby's missed a couple, but there's a limit to how
    much marketing bumph I can handle in one day, especially when I'm already
    brain dead.
    
    t.
    
    ---------- Forwarded message ----------
    Date: Thu, 29 Aug 2002 10:18:11 -0700
    From: "Kohlenberg, Toby" <toby.kohlenbergat_private>
    
    http://www.appliedwatch.com/
    A GUI interface for managing and monitoring Snort
    
    http://www.addamark.com/solutions/index.html
    Clustered Linux database system optimized for time indexed, non
    transactional data.  Kick ass high performance management and archiving
    solution, but needs vertical apps for specific focus areas like security.
    This is the company whose CTO I dated a couple of times, for whom I'm
    writing a white paper.  They're entertaining the thought of hiring me to
    develop that security vertical but I don't think they can afford me, and I
    don't think I want to be tied down to a single technology.
    
    http://www.vericept.com/products/view_security.shtml
    Appliance that claims to measure compliance with an individually-tailored
    corporate appropriate use policy.  Damned if I can tell from the nearly
    content free Web site how it actually >>works<<.  The only intervention it
    claims to require from the corporate IT staff is IP address assignment, so
    it can't be using syslog or SNMP...
    
    http://www.secos.com/products/secospider/details.asp
    Combines policy management, resource utilization, log monitoring and real
    time alert categories into one worn-out little system...based on
    agent/server technology.  Web site lacks important information like which
    platforms are supported.
    
    (what, me, getting snarky???)
    
    http://www.ringnecktech.net/
    "Ringneck Technologies is a new software company dedicated to optimizing
    network security tools to enhance their effectiveness in fighting
    malicious."
    
    Clearly writing code is easier than writing English.  Web site last
    updated June 2001.  Events are normalized to the widely-adopted Common
    Intrusion Specification Language: "RSC developers are following this
    activity and will implement the RFP."
    
    (you must be this tall to ride this ride)
    
    http://www.netiq.com/products/sm/default.asp
    integrates log management for FW-1, cisco PIX and IOS, ISS real secure,
    anti-virus systems
    with a set of event signatures.  Near as I can tell, no application or OS
    support.  Still, my favorite of the options to this point.  NetIQ sold
    part of this package to Microsoft, who then repackaged it in the Win2k
    Resource Kit as the Microsoft Operations Manager 2000 application.  I knew
    I remembered them from somewhere.  Note that Microsoft is not continuing
    development on this application for .NET.
    
    http://demarc.com/
    Home of the best-paid product marketing group, the owners of PureSecure
    branding ;-)  Once you get through the glossy advertising, it's Snort,
    with the ability to verify service availability and some Tripwire-like
    functionality.  Since it's doing integrity checking, it must have agent
    software, but the Web site doesn't go into that much detail.
    
    http://www.guarded.net/
    Definitely get points for having the most useful technical information on
    their Web site.  Monitoring system accepts data via syslog and SNMP.
    Says it supports CheckPoint and ISS logs "natively" (assuming they mean
    FW-1, this might mean they have written an OPSEC-compliant LEA interface,
    it's not clear; ISS RealSecure uses SNMP or SMTP).  Windows systems
    require agent software.  Modules normalize event data to a common format
    and then forward it (all of it, near as I can tell) to the central
    management console.  Console performs correlation, analysis and long term
    storage.  No performance numbers.  Pretty impressive list of supported
    devices (http://www.guarded.net/prod/supp.html) tho' no info on what sort
    of signatures they provide (it's been known to happen that i've disagreed
    with a vendor's assessment of significant events).  I'm not sure that I'd
    call nmap a security audit tool.
    
    http://www.aprisma.com/products/security.shtml
    Claim to support every device under the sun (see
    http://www.aprisma.com/products/SSM/Support_Devices_Summary.pdf for
    details), but since they include a load balancing/fail-over system
    (StoneBeat) in the firewall list and NFR's Secure Log Repository as a
    network-based IDS, I'm not sure they've got any idea of what they're
    doing.  Web site is >>extremely<< buzzword compliant.  Looks like it wants
    to be OpenView when it grows up -- SNMP based management and monitoring.
    
    http://www.arcsight.com/
    
    http://www.advisortechnologies.com/Products.htm
    http://www.gd-decisionsystems.com/intrusionvision/
    http://www.esecurityinc.com/
    http://www.sidrlabs.com/
    http://www.igloosec.com/product/product.htm
    http://www.freshwater.com/SiteScope.htm
    http://www.open.com/htm/products.htm
    http://www.micromuse.com/
    http://www.opensystems.com/index.asp
    http://www.intrusion.com/Products/enterprise.shtml
    http://www.securesoftsystems.com/
    http://www.netforensics.com/
    http://www.tm.agilent.com/tmo/datasheets/English/HPJ4642A.html
    http://www.itactics.com/
    http://www.cyberwolftech.com/ (note- MountainWave has been bought by
    Symantec)
    
    
    
    
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Thu Dec 12 2002 - 22:45:34 PST