Slashdot Mirror

← Back to Stories (view on slashdot.org)

Intrusion Detection

Posted by Hemos on from the teach-the-clueless-ones dept.

Disgruntled Goat sent us a review of Intrusion Detection, a text sure to be of interest to all those working in organizations. The author is a former NSA employee and has written this book as a text to convince upper-level types of the need for security and actually paying attention to it. Click below to read more. Intrusion Detection author Rebecca Gurley Bace pages 339 publisher Macmillan Technical Publishing, o01/2000 rating 9/10 reviewer Disgruntled Goat, disgruntled_goat@hotmail.com ISBN 1-57870-185-6 summary Very good InfoSec handbook for suits and junior suits. The Scenario Security books, quite frankly, are pretty much a dime a dozen, most of which are written by people in IT field security. What immediately separates this book from the rest is the background of the author. Ms. Bace is an ex-government employee, spending 12 years in everyone's favorite spook organization, the National Security Agency. She led the Computer Misuse and Anonmaly Detection (CMAD) Research Program for six years at the NSA. She also collaborated on Computer Crime : A Crimefighter's Handbook by Dr. David Icove of the FBI. She also won the Distinguished Leadership Award in 1995 from the NSA.

What's Bad? This book is sort of dry reading. It's akin to reading college CS textbooks for pleasure. Or law books. What I didn't like is the fact that she wasn't real clear on the distinction of "hackers", nor how she describes them. She worries that "hackers" wish to "corrupt the trust process". And the focus for the book is not primarily for techies. It's designed for CIO smacking. Generally, if you're in an organization like mine, your CIO has very little technical background. So, good for CIO bashing.
And, it's $50 also.

What's Good? This is good if you're in a position where you need to convince management of security threats. It's also good for the kiddies who want to get an idea of what to look for when they're gunning for targets to disrupt.
What made this good for me was the fact that I could have points to show to management for InfoSec issues. I work in a hospital and we tend to attract a large amount of famous people as patients. If something damaging was leaked to the media about a famous person's medical condition that was potentially embarassing, we're looking at a good multi-million dollar lawsuit. This book isn't a by-the-book "How to protect your systems", but more of a book on what to safeguard, and how to detect patterns that may indicate patterns of unauthorized usage.
One of the things that I liked was the chapter on Legal Issues. One of the sections in the chapter was "What Real Cases Have Taught Us". It did a few page review on Mitnick's case, cut and dry. It shows that Shimomura was no rocket scientist, and with cooperation from the courts, you can bust almost anyone. But it did bring up several good points, such as obtaining court orders, how laws work, and how it can be considered evidence.

So What's In It For Me? If you're a script kiddie, probably nothing. But for those who are achin' to topple some network, this may be for you.

For those with functioning brains who have vested interests in InfoSec and protecting their organization from people who wish to do harm, and getting real security info, rather than from those half-assed "Security Experts" like JohnP, then pick this up.

Pick this book up at ThinkGeek.

Table of Contents
  1. The History of Intrusion Detection
  2. Concepts and Definitions
  3. Information Sources
  4. Analysis Schemes
  5. Responses
  6. Vulnerability Analysis: A Special Case
  7. Technical Issues
  8. Understanding the Real-World Challenge
  9. Legal Issues
  10. For Users
  11. For Strategists
  12. For Designers
  13. Future Needs

55 comments

  1. whois nsa.gov by dattaway · · Score: 3

    TCP connection to 'www.nsa.gov' failed, No Such Agency?

    1. Re:whois nsa.gov by armb · · Score: 1

      It is in the google cache.

      --
      rant
    2. Re:whois nsa.gov by kd7ahv · · Score: 1

      Try www.nsa.gov:8080 it worked last time I checked it (two or three weeks ago.)

      --
      Vodka - It's not just for breakfast anymore!
    3. Re:whois nsa.gov by Barbarian · · Score: 2

      I used the whois available here: http://freshmeat.net/appind ex/1999/10/30/941297803.html plus a perl script to take care of the recent rs.internic.net changes (not necessary for this query).

      $ whois nsa.gov
      National Security Agency (NSA-DOM)
      9800 Savage Rd.
      Ft. Meade, MD 20755-6000


      Domain Name: NSA.GOV
      Status: Active

      Administrative Contact:
      Quinn, Patricia E. (PEQ)
      (301) 688-3741 (FAX)(301) 688-1280
      PEQ@NCSC.MIL


      Domain servers in listed order:

      TOPSCALE.NSA.GOV 144.51.68.4
      ROMULUS.NCSC.MIL 144.51.5.2
      NS1.QWEST.NET 216.111.65.217
      NS2.QWEST.NET 205.171.16.250

      Record last updated on 26-Oct-99.

      Please be advised that this whois server only contains information
      pertaining to the .GOV domain. For information for other domains please
      use the whois server at RS.INTERNIC.NET.

  2. VIIDS by xianzombie · · Score: 2

    the post anonymous button would be nice right now...

    anyway, VIIDS = visual imagery and intrusion detection systems: ie. my current job. (yes, also government)

    this much i will tell you, the majority of the equipment used (and i don't know about NSA) but for priority A and B resources (being Nucelar Weapons and Armed Fighters/Weapons Storage areas, etc.) DO NOT have all that hi-tech junk you see on tv. up until recently our annunciator system was a hunk of metal developed by the navy back in the 60-70's. the rest is mainly motion detectors, sensors, etc.

    These aren't used so much to prevent ppl from getting in, but also to deter admitance. (Don't worry though, should u get in, there are cops in there still who have full athority to shoot you). In fact almost daily i see a sign that states "Use of Deadly Force is Authorized".

    As far as if you were to try and hack the computer annunciator systems, well, first you'd have to get access to them, they're not on an outside network, so good luck there.

    basically, if someone once this stuff bad enough, they can get it. It will however take them alot of work, and also would result in probably a lot of damage to the equipment to get it out of the area.

    to all the would be's who think they want to try, good luck, and i hope you can run fast cuz i'll shoot your ass too.

    1. Re:VIIDS by DoomHaven · · Score: 4

      I am assuming that you think IDS (intrusion detection systems) are "physical" intrusion detection systems (meaning that they detect someone physically trespassing on the premise) instead of "network" intrusion detection systems (that they detect crackers "trepassing" on the premise's network). So, just to clarify, we are talking about "electronic" intrusions here, okay?

      Just to toss out a couple half decent links on intrusion detection systems, for those who are interested:

      This is a good link that compares a few commerical network IDSs
      This is a shitty test suite for network IDSs

      Damn, I thought I had more. Oh well, enjoy!

      --
      "Don't mind me cutting myself on Occam's Razor"
    2. Re:VIIDS by Anonymous Coward · · Score: 0

      You are either one crazy motherf@#$! or a total fraud. If you do have clearance to work in such a place, I think your CO would have a huge problem with you posting this shit to slashdot, EVEN IF you did not display your 'official' email address, web page or use a proxy belonging to your employer. Working in such environments is not something that should be taken lightly. OPSEC becomes more than just a set of guidelines, it becomes a part of every facet of your life -- personal as well as professional! Uggghh...wannabes.

    3. Re:VIIDS by Anonymous Coward · · Score: 0

      Play cricket and baseball in them corridors.. bummer when the ball smacks into a sensor. Laugh at them unexplained events, then cover em up. My complaint is the amount of 'sensitive stuff' is hoarded up in heated storage, then auctioned for pennies. Hey guys, this is holding up hollywood - we need some more props. one word - microfiche.

  3. Intrusion Detection - An Analysts' Approach by Anonymous Coward · · Score: 0

    I recently bought this (different book, same topic) after seeing it recommended strongly on Amazon by one of these "security analysts". However, it covered some old stuff (Mitnick for crying out loud!) as well as gave a general read around of various topics, but it wasn't really what I was hoping for (something more practical would be nice). Yes, my day job is a security researcher, but this was bought outside of that. If anyone can find a practical guide to unix security or unix intrusion detection that wasn't written before 1999 that's actually useful (not A Hacker's Guide To Protecting Your Network, by Anonymous, or whatever its called) please let me know.

    1. Re:Intrusion Detection - An Analysts' Approach by n3rd · · Score: 4

      I know this isn't exactly what you're looking for, but I purchased a copy of O'Reilly's book Practical UNIX and Internet Security 2nd Edition and have found it to be very useful. This book covers almost everything (accounts, passwords, auditing, logging, backups, physical security, file system, etc etc etc) and is well written (I expect no less from ORA). I also purchased a copy of the book you are referring to, and even though it was not very well written, the "real world" examples of TCP/IP and UDP/IP attacks were a good way to put all I knew about TCP/IP in theory into real world situations. Oh yeah, and from the book, I also know how to disconnect people from IRC now (love them RSTs!).

    2. Re:Intrusion Detection - An Analysts' Approach by Esjion · · Score: 2

      And, you can get the book from bookpool.com for $26.50 (I agree that it's a useful book, and this is a decent price, so I thought I would share).

    3. Re:Intrusion Detection - An Analysts' Approach by shilly · · Score: 2

      Can't do exactly what you want, but have you looked at Ross Anderson's homepage at
      http://www.cl.cam.ac.uk/users/rja14/
      He has lots and lots of interesting stuff on security on his site. The lottery paper was great.

    4. Re:Intrusion Detection - An Analysts' Approach by Anonymous Coward · · Score: 0
      Actually, he quotes my answer to his question in that lottery paper. Scary, eh.

      Damn, now I've practically given away who I am. Oh well.

      None of the opinions posted here on Slashdot have anything to do with my employer.

    5. Re:Intrusion Detection - An Analysts' Approach by Anonymous Coward · · Score: 0
      That's a useful link for people looking for UNIX security books (which there probably are quite a few of on here), but you're right, not what I was looking for.

      The problem is, the O/S I use (ain't Linux) has just one webpage I can find about "how to secure your machine". The people in their newsgroups do not reply to questions about security. Their security mailing list seems to be only about creating patches or discussing worst path case analysis for various bugs. Whenever I have seen people ask questions that I am interested in knowing the answer to, they get rebuffed with "go and read a security book from your local bookshop", i.e. not particularly helpful.

      Wish there was more of a guide for those people who know all the damn principles, the theory, etc. but just need to know how to implement them on their own systems.

    6. Re:Intrusion Detection - An Analysts' Approach by D3 · · Score: 2

      Network Intrusion Detection: An Analyst's Handbook by Stephenn Northcutt is an excellent resource. Go back a couple of months in the book reviews here on /. and you'll find my review of it. It was published in Sept. 1999 so it is about as current as you can get. Also, it describes what functionality an IDS should have so you can decide what system works best for your network. Northcutt is one of the original SHADOW people and now works for SANS.

      --
      Do really dense people warp space more than others?
    7. Re:Intrusion Detection - An Analysts' Approach by Anonymous Coward · · Score: 0

      Just ask your local security person are they are 100% happy about the way things are. Big Orgs are too slow in deploying security patches IMHO. So why monitor in excess of your weakest link? Also a lot of big orgs like Windows. This may not be the 'best' security option. Once bad policy decisions are made, someone wears it. Next time a site is compromised - blame the person who over-rode technical advise, in favour of a popular decision.

    8. Re:Intrusion Detection - An Analysts' Approach by n3rd · · Score: 1

      Well, if you would, please tell us which OS you're running and we'll see what we can dig up for you. :)

  4. Deception ToolKit by MinaInerz · · Score: 5

    One the more interesting Intrusion Detection concepts I've seen in recent times is the Deception ToolKit. What this program does is "fakes" a bunch of commonly exploited security holes on your system - even though those holes aren't actually there. This is could prove to be very good at catchin script kiddies who run sendmail break-in scripts, etc. A very interesting concept, indeed - I don't know how well it works, though. Anybody out there with any opinions on this piece of software?


    Dear IRS,
    I am writing to you to cancel my subscription.

    1. Re:Deception ToolKit by Anonymous Coward · · Score: 1

      Pros: Allows you to see what tactics are being used by crackers. One port (forgot the #) is set aside to say "Hey, we're using the Deception Tool Kit; we're watching you, and it isn't worth your time to try and figure out how to break in."

      Cons: Actual services can still be cracked. Also, by using the DTK, you might be opening up another security hole; crash DTK and get root, yadda, yadda, yadda,...

    2. Re:Deception ToolKit by SEWilco · · Score: 2

      Crash DTK and get root? Oh, yeah, due to the reserved port numbers. Not if you're remapping the incoming reserved ports to non-reserved ports.

    3. Re:Deception ToolKit by Jonathan+White · · Score: 4

      The concept is not new, it's called a honeypot. It allows you to trick the attacker into thinking he found a weakness.

      There are many ways to respond after the attacker tries to exploit it. One of the more common is to log whatever info you can get and try to pursue him.

      It's main usefulness with script kiddies lies in that the attacker will be off trying to figure out wtf is wrong with his shellcode while you have the FBI kick in his door.

      However against more organized attacks from more powerful entities (governments, corporations) it can only serve as an obfuscator and an early warning system.

  5. Check out this ID book by kaos_ · · Score: 2

    Network Intrusion Detection: An Analyst's Handbook
    by Stephen Northcutt
    ISBN: 0735708681

    Excellent book on intrusion detection.

    1. Re:Check out this ID book by lw54 · · Score: 1

      I agree. This is an incredible book that is easy to read and covers the technical side of things as well.

    2. Re:Check out this ID book by Genady · · Score: 1

      Not only is it an Interesting read, the autor is also one of the authors of SHADOW, ID Software from the Naval SUrface Warfare Center. Very good coverage of man different ID softwares.

      --


      What if it is just turtles all the way down?
    3. Re:Check out this ID book by Anonymous Coward · · Score: 0

      And he's currently the Chief Information Warfare Officer for the U.S. Ballistic Missile Defense Organization.

  6. Computer Security by Gov't by witchking · · Score: 3

    Having read Clifford Stoll's book (The Cuckoo's Egg) I believe that government employees suffer a credibility problem when discussing computer security issues. In his book, Stoll describes the arrogance of government staff who would not take him seriously when he detailed the security breaches he had found. Although I haven't read the book being reviewed here, I would also highly recommend Stoll's book to those who are interested in this issue (IMHO).

    --
    "Ever get the feeling you've been cheated?" - John Lydon, San Francisco 1978
    1. Re:Computer Security by Gov't by dingbat_hp · · Score: 2

      Stoll ? Isn't that a decade old by now ?

      Things change. Net things change insanely fast. Even governments can't be relied upon to stay stupid forever (*). If you read a net book that was in print a month ago, chances are that it's only fot for fish & chip wrappers by now.

      * Well, maybe not repeatably stupid in a consistent manner 8-)

    2. Re:Computer Security by Gov't by fridgepimp · · Score: 1

      Not necessarily,

      Read @ Large (forget the authors at the moment) but it details a story (from the mid 90's) very similar to the one presented in Cuckoo's Egg. Same attitude, same lack of security.

      Also, take a look at all of the defaced web pages on 2600.com or Hacker News Network...more than 50% are gov't sites, and more than half of those are military installations. While web sites may not qualify as "sensitive", I find that good security professionals tend to secure all machines in their purview, whether or not they really need it.

      -FP

    3. Re:Computer Security by Gov't by aetius2 · · Score: 1

      It isn't just computer security that suffers -- read Rogue Warrior by Richard Marcinko. His Red Cell team play-acted as terrorists to evaluate Navy security, and the same attitude was present -- most of the commanders were too worried about looking bad to actually implement real security.

      Aetius

      Why offend someone with style when you can offend them with substance?

    4. Re:Computer Security by Gov't by Our+Man+In+Redmond · · Score: 2

      Well, besides being an interesting read in and of itself, when you read it you'll notice things that sound familiar to you. Dictionary cracking programs, for instance. The only real difference between then and now is that there are new ways to break into a system alongside the old, familiar ones.

      I'm willing to bet the government's attitude toward technology hasn't changed much, either. My favorite moment in the book, right up there with using the "Man Who Never Was" technique to expose someone breaking into their system, was the FBI guy who, after being presented with a paper trail of evidence starting with a miniscule accounting error and leading to connections to East Germany, asked incredulously if Stoll expected him to mobilize the FBI because Stoll found a quarter missing.
      --

      --
      Someone you trust is one of us.
    5. Re:Computer Security by Gov't by dingbat_hp · · Score: 3

      That's the problem with Stoll's approach. He starts with a minute error and insists that it's a consequence of something untoward.

      These days we all work on Web Time. If it's not done and dusted by Monday, it will be obsolete by Tuesday. No-one has the time to chase pennies. Even individual fraudsters aren't hunted down - I've met ecomm retailers who simply couldn't chase single frauds and would only go after something that looked like a volume syndicate. For the one-offs, the only thing they had the time and money to cope with was letting the item be shipped and then swallow the back-charge from the cc company. RealShopping outlets have taken a similar line for years - they just accept a certain level of stock wastage.

      There's also the volume issue. In Stoll's day a hack attempt was done by a hacker who created the tools himself. Now we're drowned under a barrage of dull script kiddies and bad NT holes. It's a panic out there ! I'd regard a serious probe from a skilled old-school hacker as a welcome and interesting diversion.

      Hacker/cracker - we lost that argument. Get over it.

  7. The author is well connected by griffjon · · Score: 3

    I met her briefly at RSA2000 (...and got a signed copy, heh.) (should I ebay it?).

    Anyway, when I met her, Peter Neumann (yes, /that/ Peter Neumann, borrowed my copy to flip through and see the references to him and to check the TOC for topics covered. He seemed pleased... I haven't had time to read the book yet, though I've flipped through and seen various references to SATAN and similar...

    --
    Returned Peace Corps IT Volunteer
  8. Intrusion Detection by sss12 · · Score: 3

    If you really want to learn how to secure your network, learn how to break in to one. If you aren't interested enough to learn this highly versatile skill, you are in the wrong industry and your company is allowing the wrong people to make their security decisions for them.

  9. A good Linux security book. by Chyeburashka · · Score: 2
    My most often referenced book these days:

    Title: Maximum Linux Security
    Publisher: SAMS Publishing
    Author: Anonymous
    ISBN: 0-672-31670-6
    LOCCCN: 99-61434
    First Printing: September 1999
    Pages: 743

    Micro-Review: Definitely worth buying, reading, and implementing.

    1. Re:A good Linux security book. by Emphyrio · · Score: 1

      I won't comment on the quality of the 'maximum linux security' book - but there's one thing to keep in mind: it's off-topic.
      Securing a system is making it safe, whereas intrusion detection is something totally different: registring security-breach attempts.

  10. PHB's and security... by jburroug · · Score: 3

    Ack. Recently during a department meeting our security guy was explaining to our PHB the steps he has taken to protect our general purpose internet server (web, ftp, email primairly) He told her about how we use ipchains firewall rules to protect the system and started talking about the IDS we recently installed (portsentry by Psionic Software which is some pretty impressive softare, and it's GPL'd) and how it responds to a portscan, which is to drop the route to the attacker completely by appending the ipchains ruleset. She initially told him to remove portsentry and the firewall rules because she "didn't like the idea of denying anyone access to our resources"
    I think a book like this could be very useful in such situations when the person in charge simply doesn't grasp the basic principles of network security (or really networks in general.) And if reading it doesn't help it sounds big and heavey enough to be used as an effective LART. ;->

    --
    "Listen: We are here on Earth to fart around. Don't let anybody tell you any different!" - Kurt Vonnegut
    1. Re:PHB's and security... by Kaa · · Score: 4

      and how it [portsentry] responds to a portscan, which is to drop the route to the attacker completely by appending the ipchains ruleset.

      Not to defend your PHB, but a lot of people consider this to be a misfeature. The problem is with DOS by spoofed attacks. If you don't want host B to talk to host A and A is running portsentry, just spoof attack from B to A.

      Nmap, for example, has an option to spoof attack source and warns about the potential side effects on portsentry.

      Kaa

      --

      Kaa
      Kaa's Law: In any sufficiently large group of people most are idiots.
  11. InfoSec by 348 · · Score: 3
    I thought the review was right on. I've read the book also and the biggest problem I have is convincing senior management that information security is paramount and should be treated as such. This book helped me a lot in this effort, it brought me from port level scanning conversations and helped me make the communication much more generic in terms that my management understood.

    The main InfoSec problem out there today is that the people who control where the IT money is spent, don't always understand the risks associated with ignoring or cutting back on proactive security measures. This book gave me a different way to present. I'd strongly recommend it to both InfoSec folks as well at senior IT management.

    Never knock on Death's door:

    --

    More race stuff in one place,
    than any one place on the net.

  12. Browsing through google's cache by Anonymous Coward · · Score: 0

    Here's some facts about the NSA in google's cache. It also talks about its yearly electrical use --ever see small buildings with a massive underground network with massive electrical feeds? What do they do in there? Maryland seems like a spooky place to live.

    There are lots of things that are a secret. They would tell you, but they'd have to kill you.

  13. Aye, right on. by Rodney+L+Caston · · Score: 1

    I've read this book, and the review is dead on in my opinion. It's a nice general overview of the subject matter, and like a college textbook or stereo instruction manual, it reads very dry. I'd suggest it to people with no real knowledge of the world of security as a realistic look on the problems that need to be tackled. However this book is in no ways a way to be taught how to solve said problems.

  14. Intrusion detection software: by Last+Warrior · · Score: 4
    If you are considering investing in intrusion detection software, there are a number of drawbacks that you should be aware of before you rely too heavily on these security methods.

    1. IDS systems are notorious for dropping packets. Attacks to your network can be missed when the bandwith utilization on your network exceeds a certain percentage. Many IDS systems are only reliable in this fashion up to 10Mb connections.

    2. Intrusion detection programs generally will not reorder packets. Any attacks with fragmented packets, out of order packets, and so on will often slip by without being detection. This is also a good way to penetrate a firewall packet filtering rule that does not reorder/reassemble packets.

    3. IDS systems tend uto use a string matching algorithm to detect network attacks ( such as a phf or php ) and variances in the attack string can also potentially bypass the IDS without generating an event.

    An intrusion detection system is a good tool to top off your networks security policy.. It should not replace human intervention or other security measures including a firewall and proactive network scanning.

    LW

    1. Re:Intrusion detection software: by Anonymous Coward · · Score: 0
      Good overview of IDS issues:

      http://www.monkey.org/~dugsong/talks/ids/

      Software to get past almost all network IDS's (fragrouter):

      http://www.anzen.com/research/nidsbench/

  15. Re:PHB's and security... (minor correction) by Signal+11 · · Score: 2

    It's not GPL'd... it's free for non-commercial use.

  16. NSA /.'ed? by Barbarian · · Score: 1

    Is it just my connection, or did we /. the NSA web site?

    1. Re:NSA /.'ed? by griffjon · · Score: 2

      Didn't you see the top lvl-2+ post? No Such Agency ...exists on the net. Yeah, I think the NSA has been slashdotted.

      Hey CmdrTaco, here's a new slashbox or side-menu item, list of famous websites we've slashdotted back to the stoneage.

      --
      Returned Peace Corps IT Volunteer
  17. MODERATE ABOVE UP White's "Re:Deception ToolKit" by griffjon · · Score: 2

    very informative post there.

    Also, there's a fundamental problem with all of these honeypot systems. Say you're running a web server, no ssl or any weird stuff, and have locked it down to JUST port 80. You get portscanned, maybe a kiddie devotes a few seconds trying the best port-80 hacks.

    OTOH, you have a honeypot or port listener running, and you pop up like a glowing beacon in the night as, well, a honeypot worthy of much, much attention.

    Of course if your server's already a mound of tantalizing open ports, the loss in making it (look) more attractive are less in comparison with being able to capture kiddies, or at least scare them with lawyers.

    --
    Returned Peace Corps IT Volunteer
  18. Counterpoint/complement to Northcutt Book by Anonymous Coward · · Score: 2
    Try the following paper:

    http://bejtlich.home.texas.net/intv2-1.txt

    The author takes a different view on some of Stephen Northcutt's analysis, especially regarding reset scans. (He says they don't really exist.)

    1. Re:Counterpoint/complement to Northcutt Book by Anonymous Coward · · Score: 0

      Try http://bejtlich.home.texas.net/intv2-1.txt

    2. Re:Counterpoint/complement to Northcutt Book by Anonymous Coward · · Score: 1
      Here's the right HTML link...

      http://bejtlich.home.texas.net/intv2-1.t xt

  19. "Maximum Security" by Simon · · Score: 1


    Is that based on an earlier book called "Maximum Security" also published by SAMS and written by anon?

    If so, then what are the differences? I've got a copy of "Maximum Security" and it's great.


    --
    Simon

  20. Actually, some can by foo12849 · · Score: 1
    The following URL is a recent test of IDS that can both handle 100-mbps as well as reassemble packets: http://www.nwc.com/1023/1023f19.html.

    The cool thing is that the only product that could do both (BlackICE Sentry) is also available as a $40 personal version (BlackICE Defender) that you can install on your own (Windoze) machine. It includes a personal firewall to boot and is really easy to use. It also has extensive anti-evasion technique to solve problem number 3 that you mention. Go to networkice.com and download a copy of it if you don't believe me.

  21. On-line IDS info by foo12849 · · Score: 1

    You should check out the IDS FAQ. It has tones of easy to understand, but technical information. The site has a bunch of other infosec information.

  22. Try BlackICE Defender by foo12849 · · Score: 1
    I mentioned this in a response to another post, but I thought I'd mention it here. If you want to learn more about intrusion detection and you are running Windoze, you can buy your own industrial strength IDS for you own PC. BlackICE Defender is a full network-based IDS that has been scaled down to fit on your PC, and it comes with a built-in firewall to boot. It has some really cool features, such as:
    • Easy to understand help on all the intrusions it detects. example1 example2
    • Extremely high performance. The test here compares the "Sentry" version against other network-based IDSs. The "Defender" version is higher performance than other personal firewalls, but it does both IDS and firewalling.
    • You can buy/download online and install it immediately without even having to reboot your machine.
    • It does some simple scans against the intruders (DNS, NetBIOS) and sometimes finds out who they are.
  23. Small problem with BlackIce... by Anonymous Coward · · Score: 1
    ...It has a good rep for detecting and blocking external attempts at access. Unfortunatly, it doesn't block transmission *from* your system to the exterior side.

    So while it has it's uses, it's not much good if you have downloaded a trojaned program from Jo Bloggs quick and dirty software archive.

    I'm not saying that this makes it useless - just that if you install it, you shouldn't allow yourself to develop a false sense of security.

  24. Real security by Peaker · · Score: 0

    For real security, why mess with traditional ACL systems (UNIX, Windows, etc)?

    REAL security can only be achieved with PURE capability systems.
    EROS-OS implements a HIGH-PERFORMANCE pure capability system as a research project. This is the direction OS's should be going for real security, AND performance, too.