Hi, First of all many thanks for your replies and excuse me for my late response.
Your requests for clarification are justified. I will describe the situation: We have Windows servers (60+) with custom server applications (self developed software) which are in the DMZ. There is already a network based IDS present based on S-flow packets. But since the DMZ is the first base on the way-in by any hacker we want intrusion detection on the machines in the DMZ. We now have a very simple IDS in place which monitors process starts. This HIDS will report an alert if an abnormal process start will occur (i.e. a reverse shell will start cmd.exe in an abnormal fashion). This is only one simple abnormality check on a host. We are wondering if there are other host based IDS which check for abnormal process start and much more (file integrity, event log, etc) . Which HIDS will provide abnormality checking (process starts, event log, file integrity, etc) on a host the best: OSSEC Open Source Tripwire SAMHAIN OSIRIS AIDE Third Brigade Deep Security Symantec Critical System Protection IBM Proventia Enterasys Dragon IDS/IPS McAfee Total Protection for Endpoint CA Host-Based Intrusion Prevention System r8 GFiEventsManager Cisco Security Agent Btw are their HIDS that can detect all-in-memory exploits (without the need of starting a process via the kernel)? Thank you for your time and advice, Timo Babel 2008/10/20 Erik Harrison <[EMAIL PROTECTED]>: > how many servers, os variations, what kind of changes are you looking > to detect? basic file changes are easy, it's the rest of it that's > complicated and functionality will vary. past that, reporting will be > important to the managers, execs and if you have a lot of other things > to manage - to you as well. > > what exactly do you want to show them, will you need to back up any > other responses with relevant data from your org? any other compliance > or security initiatives in the company that you could support with the > package or product? ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
