what HIDS to use?

TheMSsForum.com: The Microsoft Software Forum

any free Host intrusion Detection System (a.k.a Integrity Monitoring System) to use for Windows
one option is Osiris (http://osiris.schmo.com) any experience with this and/or any other free hids for windows
Top

Re: what HIDS to use? by Bojidar

Bojidar
Tue Jun 08 02:15:10 CDT 2004

snort.org
The best one!

Bojidar Alexandrov
"jbiddlew" <anonymous@discussions.microsoft.com> wrote in message
news:77D2725A-41B2-408B-8006-8584C0219DDD@microsoft.com...
> any free Host intrusion Detection System (a.k.a Integrity Monitoring
System) to use for Windows?
> one option is Osiris (http://osiris.schmo.com) any experience with this
and/or any other free hids for windows?
>


Top

Re: what HIDS to use? by S

S
Tue Jun 08 05:10:41 CDT 2004

In canonic terms, Snort is a NIDS, network intrusion detection system.

As for the HIDS, I'm struggling to see much value in those. However, in some
cases, they might be a reasonable security control.

For those interested, the correct URL to OSIRIS is http://osiris.shmoo.com

--
Svyatoslav Pidgorny, MVP, MCSE
-= F1 is the key =-




"Bojidar Alexandrov" <bojo_do_not_spam@kodar.net> wrote in message
news:#aMKXhSTEHA.1048@tk2msftngp13.phx.gbl...
> snort.org
> The best one!
>
> Bojidar Alexandrov
> "jbiddlew" <anonymous@discussions.microsoft.com> wrote in message
> news:77D2725A-41B2-408B-8006-8584C0219DDD@microsoft.com...
> > any free Host intrusion Detection System (a.k.a Integrity Monitoring
> System) to use for Windows?
> > one option is Osiris (http://osiris.schmo.com) any experience with this
> and/or any other free hids for windows?
> >
>
>


Top

Re: what HIDS to use? by Karl

Karl
Tue Jun 08 06:48:15 CDT 2004

Well, Snort is just as much a HIDS as BlackIce, which is/was sold as a HIDS.
People do use Snort as a HIDS. It doesn't monitor your Windows log files,
but I don't think that's necessarily an absolute requirement for being
called a HIDS.

Osiris appears to be a file change checker like Tripwire [very different
from Snort]. The only satisfactory free file change checker for Windows is
the free SIM from www.gfi.com although I find it sometimes gives errors or
refuses to work on certain machines. I highly recommend SIM or something
like it anyways as ONE of your HIDS methods. [Osiris could very well be
superior.] If you don't like that, you could write your own script or
search Google for a script to make MD5 hashes of files.

Again, none of these products monitor Windows event logs, which is another
way to do Windows HIDS. I'm not aware of a free product that does this, you
would probably either need to buy a commercial HIDS like Enterasys Dragon
that does this, or write your own scripts to do so. www.ipsentry.com is one
tool that costs around $100 US that you can configure to monitor Windows
event logs in real time on multiple machines across the network, but you
have to tell it what to look for.

Since log files on compromised machines can be altered or deleted, you might
also want to consider something like the free NTSYSLOG which spits out the
log entries to a remote syslog server such as www.kiwisyslog.com, and use
SSH or PuTTY or Windows 2000 or newer IPSec to encrypt the traffic.


"S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message
news:uhN6kDUTEHA.3700@TK2MSFTNGP09.phx.gbl...
> In canonic terms, Snort is a NIDS, network intrusion detection system.
>
> As for the HIDS, I'm struggling to see much value in those. However, in
some
> cases, they might be a reasonable security control.
>
> For those interested, the correct URL to OSIRIS is http://osiris.shmoo.com
>
> --
> Svyatoslav Pidgorny, MVP, MCSE
> -= F1 is the key =-
>
>
>
>
> "Bojidar Alexandrov" <bojo_do_not_spam@kodar.net> wrote in message
> news:#aMKXhSTEHA.1048@tk2msftngp13.phx.gbl...
> > snort.org
> > The best one!



Top