Re: [ossec-list] Host Intrusion Detection Functionality

[Saul Alanis]

I think this is too broad of a question without any information from you with regards to what you're looking to monitor (services) . It is a great conversation nonetheless but I recommend looking up a few books on Amazon if you really want an in-depth experience.

On Mar 10, 2013 11:36 AM, "Shahin Ansari" <perss...@gmail.com> wrote:

Greetings-
I am looking for some ideas on what are the ideal characteristics of a Host Intrusion Detection solution? What sort of events would you like to have visibility into, and why are they important? I really appreciate your comments.
Regards-
Sean

--
 
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Shahin Ansari]

This is just as I expected. Thanks for sharing your thoughts.

On Mon, Mar 11, 2013 at 1:42 PM, Jb Cheng <jjoo...@gmail.com> wrote:

Extracted from the book "OSSEC HIDS - Host-Based Intrusion Detection Guide" by Andrew Hey/Daniel Cid/

page 8-9 comparing HIDS vs. NIDS:

"

An HIDS detects events on a server or workstation and can generate alerts similar to an

NIDS. An HIDS, however, is able to inspect the full communications stream. NIDS evasion

techniques, such as fragmentation attacks or session splicing, do not apply because the HIDS

is able to inspect the fully recombined session as it is presented to the operating system.

Encrypted communications can be monitored because your HIDS inspection can look at

the traffi c before it is encrypted. This means that HIDS signatures will still be able to

match against common attacks and not be blinded by encryption.

An HIDS is also capable of performing additional system level checks that only IDS software

installed on a host machine can do, such as fi le integrity checking, registry monitoring, log

analysis, rootkit detection, and active response.

"

My own opinion of 'root' vs. 'user' ---

Sure, root activities have the potential to create maximum damage. However, when hackers focus on information stealing, I think user activities could be very valuable and should not be ignored easily. 

--
 
---
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/o9qAc-ELTow/unsubscribe?hl=en.
To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.

For more options, visit https://groups.google.com/groups/opt_out.
 
 

--
Never give in, never give in, never, never, never, never-in nothing, great or small, large or petty-never give in except to convictions of honor and good sense.  
                                       -Winston Churchill