|
AuditGUARD
|
|
Agent: IBM, HP, SUN, SEQUENT,
UnixWare
(NT Planned)
|
2000 DataLynx, Inc
|
http://www.s4software.com/ag.htm
|
|
auditGUARD allows you to monitor
who did what, when, where, and how. Features include
-
Complete Audit Management: control and
filter all of the information available to you.
-
Continuous audit from all operating
systems.
-
Analysis of user actions and their needs.
-
Categorization and storage of attempted
and actual system violations.
-
Tailored reporting and alerting.
|
|
COMMERCIAL
|
Information Updated: 10 Jun 2002
|
|
EMERALD eXpert-BSM
|
|
Agent: Solaris
|
SRI International
|
http://www.sdl.sri.com/projects/emerald/releases/eXpert-BSM/index.html
|
EMERALD's eXpert-BSM Monitor is a host-based intrusion detection system that provides realtime security monitoring for critical application servers and workstations. eXpert-BSM provides comprehensive knowledge-base for detecting insider misuse, policy violations, privilege misuse or subversion, illegal resource manipulation, and other site policy violations for Sun Solaris operating systems. This component is packaged and distributed as a full intrusion detection solution, providing data collection, intrusion detection analysis, an alert management interface, and detailed response directives.
The EMERALD eXpert (pronounced E-expert) is a highly targetable signature-analysis engine based on the expert system shell P-BEST. Under EMERALD's eXpert architecture, event-stream-specific rule sets are encapsulated within resource objects that are then instantiated with an EMERALD monitor, and which can then be distributed to an appropriate observation point in the computing environment. This enables a spectrum of configurations from lightweight distributed eXpert signature engines to heavy-duty centralized host-layer eXpert engines, such as those constructed for use in eXpert's predecessors, NIDES (Next-Generation Intrusion Detection Expert System), and MIDAS (Multics Intrusion Detection Alerting System). In a given environment, P-BEST-based eXperts may be independently distributed to analyze the activity of multiple network services (e.g., FTP, SMTP, HTTP) or network elements (e.g., a router or firewall). As each EMERALD eXpert is deployed to its target, it is instantiated with an appropriate resource object (e.g., an FTP resource object for FTP monitoring), while the eXpert code base remains independent of the analysis target.
|
|
COMMERCIAL
|
Information Updated: 23 Aug 2000
|
|
Enterasys Dragon Host Sensor
(formerly Dragon Squire)
|
|
Linux, FreeBSD, OpenBSD, Solaris (x86/sparc) and HP-UX, NT, Win2K, Cisco IOS, Cisco Pix, Raptor, IPfilter
Parsing on; Apache, IIS, bind, RealSecure, most pops, secure shell,
squid and tripwire.
|
Enterasys Networks
|
http://www.enterasys.com/ids/
|
|
Formerly it could be used as a standalone product, this is now the Host sensor for the powerful Hybrid IDS sold by Enterasys Dragon.
Host-based IDS
NSW will release a host based IDS named 'Dragon Squire' during July
2000. The product is currently being tested on the supported platforms
(see below) and having its signature libraries populated.
Log Monitoring
Dragon Squire can monitor multiple ASCII based log files which occur on
modern systems. These log files can be the result of 'syslog' type
messages such as '/var/log/secure' or can be the results of complex
applications such as Sendmail or Apache. Dragon Squire monitors each
specified log file for matches to known activity. The same way Dragon
Sensors look for 'cgi-bin/phf' in web traffic, Dragon Squire can search
for those occurrences in log files.
File Integrity Checking
Dragon Squire will also perform file integrity checks on many key
different system files. These checks computer a cryptographic
fingerprint of a file's contents. If the contents of a file change,
then the fingerprint changes. Malicious file change examples include
unauthorized additions to the '/etc/passwd' file and also adding
backdoors into the 'sshd' binary.
|
|
COMMERCIAL
|
Information Updated: 5 Jan 2004
|
|
|
|
Windows, Solaris, HP-UX
|
McAfee
|
http://www.mcafeesecurity.com/us/products
/mcafee/host_ips/standard_edition.htm
|
McAfee® Entercept® Standard Edition shields
servers and desktops against the full range of known and
unknown attacks. As the only host intrusion prevention
solution (IPS) combining signatures with behavioral rules,
McAfee Entercept provides superior proactive threat
protection—stopping threats before they can damage systems
and applications. McAfee Entercept significantly decreases
the criticality of patch deployment, reduces
security-related costs, and protects critical assets.
|
|
COMMERCIAL
|
Information Updated: 30 Nov 2004
|
|
eTrust Audit
|
|
Agent: NT & Unix
Console: NT
|
CAI
|
http://www3.ca.com/Solutions/Product.asp?ID=157
http://www.cai.com/solutions/enterprise/etrust/audit/
|
|
eTrust Audit collects enterprise-wide security and system audit information without the reduced performance and overwhelming network traffic caused by other auditing products. It consolidates data from UNIX and Windows NT servers as well as other eTrust products and stores it in a central database for easy access and reporting. Administrators use eTrust Audit for monitoring, alerting, and reporting information about user activity across platforms.
|
|
COMMERCIAL
|
Information Updated: 05 Jan 2004
|
|
GFI LANguard S.E.L.M
|
|
Windows 2000/NT
|
GFI Ltd
|
http://www.gfi.com/adentry.asp?adv=158&loc=1
|
|
GFI LANguard
S.E.L.M.
performs
event log
based
intrusion
detection
and
network-wide
event log
management.
It archives
& analyses
the event
logs of all
network
machines and
alerts you
in real time
to security
issues,
attacks and
other
critical
events. GFI
LANguard
S.E.L.M.'s
intelligent
analysis
means you do
not need to
be an 'Event
Guru' to be
able to:
Monitor
users
attempting
to access
secured
shares and
confidential
files;
Monitor
critical
servers and
create
alerts for
specific
events and
conditions
occurring on
your
network;
Back up and
clear event
logs
automatically
on remote
machines;
Detect
attacks
using local
user
accounts
|
|
COMMERCIAL
|
Information Updated:
24 Dec 2004
|
|
GrSecurity - PaX
|
|
Linux
|
GrSecurity
|
http://www.grsecurity.net/
http://www.grsecurity.net/PaX-presentation_files/frame.htm
|
|
It provides non-executable memory pages and full address space layout randomization (ASLR) for a wide variety of architectures."
It is a kernel patch that helps prevent buffer overflows, one of the most used around there on Linux boxes. While not specifically presented as an IDS like LIDS (see below), it helps harden the machine dramatically.
|
|
GNU GPL
|
Information Updated: 05 Jan 2004
|
|
IIS Logger
|
|
Windows 2000
|
Adiscon
|
http://www.iislogger.com/en/
|
|
Working as an ISAPI filter, this products is a pure LOGGER, which can provide very extended and verbous information about the requests made to an IIS web server. This includes logging requests for those nasty exploits which in normal conditions would leave no track in your web server's log.
|
|
COMMERCIAL
|
Information Updated: 05 Jan 2004
|
|
IBM RealSecure Server Sensor
|
|
Windows
2000/2003
|
Internet Security Systems
|
http://www.iss.net/products/RealSecure_ServerSensor/product_main_page.html
|
|
RealSecure Server Sensor provides automated, real-time intrusion protection and detection by analyzing
events, host logs, and inbound and outbound network activity on critical enterprise servers to block
malicious activity from damaging critical assets.
RealSecure Server Sensor applies built-in signatures and sophisticated protocol analysis with behavioral
pattern sets and automated event correlation to prevent known and unknown attacks.
Server Protection - Protects the underlying operating system by preventing attackers from exploiting
operating system and application vulnerabilities.
Web Application Protection - Provides Secure Sockets Layer (SSL) encrypted application layer intrusion
monitoring, analysis, and response capability for both Apache and IIS web servers.
Advanced Intrusion Prevention/Blocking - Monitors all traffic to and from the server or network to
detect and prevent inbound attacks as well as block new and unknown outbound attacks such as buffer
overflows, Trojans, brute force attacks, unauthorized access and network worms.
Other features include:
Console and Network-Based Intrusion Protection
Broad Platform Coverage
Windows Server 2003 and Windows 2000 Server Certified
Audit policy management
IBM Proventia Management SiteProtector
Advanced Event Correlation and Analysis
Backed by the X-Force
Global Technical Support
|
|
COMMERCIAL
|
Information Updated: 06
Sep 2007
|
|
Kane Secure Enterprise KSE
|
|
|
Intrusion Inc
|
|
|
Whilst a fantastic product KSE
is sadly no
longer supported
by Intrusion Inc
|
|
COMMERCIAL
|
Information Updated: 23 Oct 2002
|
|
LIDS
|
|
Linux
|
|
http://www.lids.org
|
|
A kernel patch and admin tool to enhance the linux kernel security, with implementation of reference monitor in kernel and Mandatory Access Control in the kernel.
It provides Protection of files, Protection of process, Fine-granulate Access Controls, use and extend capability to control the whole system, Security alert from the kernel, Port scanner detector in kernel and more.
|
|
GNU GPL
|
Information Updated: 5 Jan 2004
|
|
Logsurfer
|
|
Unix
|
DFN-CERT
|
http://www.cert.dfn.de/eng/logsurf/
|
|
The program "logsurfer" was designed to
monitor any text-based logfiles on your system in realtime. The large
amount of loginformation collected (like all messages handled by the
syslog-daemon or logfiles from your information services FTP, WWW etc.)
makes it nearly impossible to check your logs manually to find any
unusual activity. You need a program to do this for you.
Matching of lines is done by two regular expression (logline must match
the first expression but must not match the optional second regular
expression). So you are able to specify exceptions.
|
|
FREEWARE
|
Information Updated:24 Jul 2001
|
|
M-ICE (Modular Intrusion Detection and Countermeasure Environment)
|
|
Unix (BSD, Linux)
|
Thomas Biege <thetom@uin4d.de>
|
http://m-ice.sourceforge.net/
|
|
The main target of M-ICE are hostbased ID Systems but it is also possible to interoperate with other IDS architectures as long as they use the open and standarized message format IDMEF.
The main goal of M-ICE is to fit for every infrastructure and to be highly adaptable. M-ICE basically consists of only three daemons that can be customized by loading binary modules to fulfill all needed tasks and more. Modules can be used to:
- filter log-data (client)
- pseudonymize log-data (client)
- put raw log-data in a more usable format (client)
- decode packages sent by other M-ICE components
- store log-data/alerts in a database
- analyze data
- manage detected alarms
- execute reactions (client, or elsewhere)
All parts of M-ICE can be installed on only one host or each on different hosts in a TCP/IP network. This fact gives an administrator the freedom to to handle different needs by using only one system.
At the moment M-ICE is not ready for use in a production environment.
|
|
FREEWARE
|
Information Updated:5 Jan 2004
|
|
Microsoft Operation Manager (MOM)
|
|
Microsoft Windows
|
Microsoft
|
http://www.microsoft.com/mom
|
|
Even though developed with the aim of being used as a system management framework, Microsoft Operations Manager (MOM), which is based on code acquired by Microsoft from NetIQ, this powerful event logs consolidator can of course also be used to monitor security related events and activities on the systems.
It has also been mentioned in a Paper at SANS Institute:
http://www.sans.org/rr/papers/index.php?id=1127
Intrusion Detection with MOM - Going Above the Wire
Don Murdoch, July 29, 2003
|
|
COMMERCIAL
|
Information Updated: 5 Jan 2004
|
|
NetIQ Security Management Pack for MOM
|
|
Microsoft Windows
|
NetIQ
|
http://www.netiq.com/products/xmp/default.asp
|
|
For companies implementing Microsoft Operations Manager (MOM) as their core system for monitoring Windows events and system performance and automating response actions, NetIQ provides an integrated security management solution. NetIQ's Security Management Pack for MOM (SMP for MOM) extends the MOM architecture and functionality, allowing you to react to security events in real-time to protect critical systems and data.
NetIQ's SMP for MOM includes three modules: XMP for Microsoft Windows Security, XMP ModuleSet for Anti-Virus Applications and XMP for NetIQ's Security Analyzer.
Each module provides a set of rules and associated knowledge to identify and respond to critical Windows and IIS security events. It also monitors for logs of several Antivirus Vendors (McAfee, Symantec, Trend).
This is basically using MOM for security management, but preconfigured and tuned out of the box.
|
|
COMMERCIAL
|
Information Updated: 5 Jan 2004
|
|
NetIQ Security Manager
|
|
Microsoft Windows
|
NetIQ
|
http://www.netiq.com/products/sm/default.asp
|
|
NetIQ's Security Manager simplifies the management of security point products with real-time monitoring, correlation, analysis, automated response and reporting through a powerful central security console. Security Manager also provides host-based intrusion detection, log consolidation and an extensible out-of-the-box security knowledge base to maintain best practices. Enterprise-scalable to thousands of servers and workstations, Security Manager allows organizations to fully integrate and leverage security events from other security solutions operating in the enterprise
This is basically a stripped down version of MOM, which includes ONLY the rules of the Security Pack. As an addition, it can also monitor (=provides ruleset for) Firewalls (Cisco PIX, FW-1) and integrate with NIDS Sensors (ISS).
|
|
COMMERCIAL
|
Information Updated: 5 Jan 2004
|
|
NetIQ VigilEnt Log Analyzer
|
|
Microsoft Windows
|
NetIQ
|
http://www.netiq.com/support/vlm/default.asp
|
|
VigilEnt Log Analyzer provides a complete enterprise solution for log archival and consolidation, security event analysis and log forensics. It enables security officers and administrators to truly analyze and understand the security events from a wide variety of operating systems, firewalls, intrusion detection systems and other devices. VigilEnt Log Analyzer also provides business intelligence capabilities for performing advanced security trend analysis at an enterprise level.
|
|
COMMERCIAL
|
Information Updated: 5 Jan 2004
|
|
Sebek - (already mentioned in 'Honeypots')
|
|
Linux, Solaris.
|
The HoneyNet Project
|
http://www.honeynet.org/tools/sebek
|
|
Even if already mentioned in the page concering the honeypots, and even if Sebek has been written by the honeynet project, it is not exactly a honeypot. rather, it is a tool for gathering data ON a honeypot.
It is used to watch the activity on a system (supposedly the activity of an hacker after he broke in a honeypot), but neverthless it can be used to watch activity on ANY system, honeypot or real. Thus I though it was worth mentioning it here too.
The Honeynet project has released several tools which might be used this way, as an extra deep layer of logging of what happens on a system, such as shell-loggers, etc.
We suggest to reviews them at:
http://www.honeynet.org/tools/index.html
|
|
COMMERCIAL
|
Information Updated: 07 Mar 2000
|
|
SentryTools (ex-Abacus Project)
|
|
Most Unix Variant
|
Psionic Inc - now Cisco
|
http://sourceforge.net/projects/sentrytools/
|
|
The Abacus Project suite consists of the following tools right now: Psionic Logcheck/LogSentry - This tool is a clone of a program that ships with the TIS Gauntlet firewall but has been changed in many ways to make it work nicely for normal system auditing. Logcheck will automatically monitor your system logs and mail security violations to you on a periodic basis.
Psionic PortSentry - PortSentry is a port scan detector that takes an active stance to shut down attacking hosts while notifying administrators and provides an easy configuration and startup. Attacking hosts are denied access to your host by dropping of local routes, dynamic packet filter changes, or adding the host to a TCP Wrappers hosts.deny file, all in real-time.
Psionic HostSentry - HostSentry is a host based intrusion detection tool that performs Login Anomaly Detection (LAD). This tool allows administrators to spot strange login behavior and quickly respond to compromised accounts and unusual behavior. HostSentry incorporates a dynamic database and actually "learns" the user login behavior. This behavior is then utilized by modular signatures to detect unusual events.
The Abacus Project has been bought by Cisco lately.
The development of the product goes ahead as GPL and has moved on SourceForge: http://sourceforge.net/projects/sentrytools/
As far as I can tell, only PortSentry and LogSentry are present on SourceForge right now.
|
|
GNU GPL
|
Information Updated: 5 Jan 2004
|
|
SNARE Server
|
|
Multi Platform (not available yet)
|
IntersectAlliance
|
http://www.intersectalliance.com/snareserver/index.html
|
|
System iNtrusion Analysis and Reporting Environment - Server
InterSect Alliance's System iNtrusion Analysis and Reporting Environment (SNARE), is an Enterprise audit Event Log analysis solution, comprising a central audit event collection, analysis, reporting and archive service, and security 'agents' for multiple operating systems and applications.
Snare is only currently available to customers in the Asia Pacific region, through a "Snare Service" arrangement with either InterSect Alliance, or Intersect Alliance partners.
|
|
COMMERCIAL
|
Information Updated: 5 Jan 2004
|
|
SNARE Agent for Linux (ex-SNARE)
|
|
Linux
|
IntersectAlliance
|
http://www.intersectalliance.com/projects/index.html
http://www.intersectalliance.com/projects/Snare/index.html
|
|
SNARE is divided into two components, the snare-core package and the snare GUI.
Both components are open source, and are licenced under the GNU Public Licence.
The snare-core package includes the SNARE audit kernel module and the audit daemon.
The snare package provides the SNARE graphical user interface.
Due to the nature of Linux modules, the binary versions of the snare-core package are kernel version specific. Binary packages are provided for recent Redhat kernels.
|
|
GNU GPL
|
Information Updated: 5 Jan 2004
|
|
SNARE Agents (others)
|
|
Various OSes (Agent-Specific)
|
IntersectAlliance
|
http://www.intersectalliance.com/projects/index.html
|
|
Snare Agent for Windows (ex-BackLog)
Snare for Windows provides front end filtering, remote control, and remote distribution for Windows eventlog data.
Formally known as BackLog, Snare for Windows interfaces into the Windows EventLog subsystem. It can be used as a standalone auditing tool, or can send data to the Snare Server, or a SYSLOG server, for analysis and storage.
Snare for Internet Information Server Web Servers (formerly BackLog for IIS) is designed to send IIS log data back to a central SNARE or Syslog server in real-time.
Moreover, Intersectalliance is now providing some more agents:
Snare Agent for Lotus Notes
Snare for ISA Servers
Snare Agent for Solaris
|
|
GNU GPL
|
Information Updated: 5 Jan 2004
|
|
Snort
|
|
Most Unix flabours, Win32
|
Snort (sponsored by SourceFire)
|
http://www.snort.org
|
|
Even though the famous software is purely a Network IDS, the very author suggests its use as a host-based IDS sensor in the following presentation:
http://www.blackhat.com/presentations/bh-usa-01/MartyRoesch/bh-usa-01-Marty-Roesch.ppt
(check slide n.11)
the idea is not to use promiscuos mode, but to get only the attacks targeted at that host, regradless if they leave tracks in the logs or not, at the network level, and even before those attackes might get dropped by a local firewall or tcp wrapper. This might indeed be very useful.
|
|
GNU GPL
|
Information Updated: 5 Jan 2004
|
|
SNIPS formerly
NOCOL
|
|
Unix
|
|
http://www.navya.com/software/snips/
|
|
SNIPS (System & Network Integrated
Polling Software) is a system and network monitoring software that
runs on Unix systems and can monitor network and system devices. It is
capable of monitoring DNS, NTP, TCP or web ports, host performance,
syslogs, radius servers, BGP peers, etc. New monitors can be added
easily (via a C or Perl API).
|
|
FREE!
|
Information Updated: 13 Jun 2002
|
|
CSA StormWatch and SHS
|
|
Windows NT4 Server or Workstation
Windows 2000
|
Cisco formerlyOKENA, Inc
|
http://www.okena.com/en/US/products/sw/secursw/ps5057/index.html
|
|
OKENA
StormWatch defends against the proliferation of attacks across networks
by deploying intelligent agents across desktops and servers to ensure
their integrity. StormWatch agents intercept an application's resource
requests to the operating system to make a real-time allow/deny
decision according to the customer's application security policy.
One of the values and competitive advantages of StormWatch is the
ability to correlate actions. This applies at the agent level where events from the four different interceptors are correlated as well as the network-wide level where events from multiple agents are also correlated. This interrelationship of events, and the resulting pro-active actions taken by StormWatch, is crucial when preventing against new and unknown attacks.
|
|
Commercial
|
Information Updated: 5 Jan 2004
|
|
Swatch Simple Watchdog or Simple Watcher depending on the doc
|
|
Agent: UNIX
Console:
|
Stephen Hansen and Todd Atkins, Stanford
University
|
ftp://ftp.stanford.edu/general/security-tools/swatch
|
|
AWAITING UPDATE Multihost based, limited
misuse detection … Swatch (Simple WATCHer) is a program for UNIX system
logging and management developed at the Electrical Engineering Computer
Facility at Stanford University. Swatch was designed to keep system
administrators from being overwhelmed by large quantities of log data.
It monitors log files and acts to filter out unwanted data and take one
or more simple user specified actions based upon patterns in the log.
Swatch can monitor information as it is being appended to a log file
and alert system administrators immediately to serious system problems
as they occur.
Stephen E. Hansen and Todd Atkins. Automated system monitoring and
notification with Swatch. In Proceedings of the USENIX Systems
Administration (LISA VII) Conference, pages 145-155, November 1993.
It appears that the original site is now down. Please check LogSurfer instead.;
|
|
GNU GPL
|
Information Updated: 5 Jan 2004
|
|
Symantec Host IDS - ex 'Intruder Alert'
|
|
Management Console: Windows
NT, Sun Solaris™
Agents: AIX, Digital UNIX™, HP-UX, Solaris,
Windows NT, NetWare
Manager: AIX, HP-UX, Solaris, Windows NT
|
Symantec Corporation.
|
http://enterprisesecurity.symantec.com/products/
products.cfm?ProductID=48&PID=12812915&EID=0
|
|
Symantec Host IDS provides real-time monitoring, detection, and prevention of security breaches, delivering automated policy enforcement and incident response for servers, applications, and data. As a complement to firewalls and other access controls, it enables administrators to develop proactive policies to stop hackers or authorized users with malicious intent from misusing systems.
New process management capabilities combine multiple intrusion prevention technology functions, including process reporting, monitoring, and blocking. Process Reporter provides access to granular process data so administrators can make rapid, informed decisions regarding server security. Process Monitor allows administrators to define a wide variety of security configurations to provide a fault-tolerant, secure environment. Process Blocker allows administrators to restrict server capabilities through defined policies to prevent malicious activity. These technologies provide an efficient and non-intrusive intrusion protection solution to stop threats such as buffer overflow attacks.
The product, undert the name 'Intruder Alert' was originally developed by Axent Technologies, which was later acquired by Symantec. Axent was developing Raptor (now Symantec Enterprise Firewall, and the codebase for the more modern and evolved appliances Symantec has realized, like Symantec Gateway Security)
The original 'Intruder Alert' is still supported, in his latest 3.6 version.
http://enterprisesecurity.symantec.com/content/ProductJump.cfm?Product=171&EID=0
|
|
COMMERCIAL
|
Information Updated: 5 Jan 2004
|
|
