[10814] in North American Network Operators' Group
Re: Intrusion Detection Systems
daemon@ATHENA.MIT.EDU (Mark Boolootian)
Mon Jul 14 18:54:03 1997
From: Mark Boolootian <booloo@cats.ucsc.edu>
To: Hamdi.Tounsi@ati.tn (Hamdi TOUNSI)
Date: Mon, 14 Jul 1997 14:22:27 -0700 (PDT)
Cc: nanog@merit.edu
In-Reply-To: <199707131120.LAA11718@tounes.ati.tn> from "Hamdi TOUNSI" at Jul 13, 97 11:08:42 am
Hamdi,
>I need some tools to monitor an ip network for intrusion detection.
>Can someone help me with this ?
>I tried before some public domain tools like argus but i need to know is
>someone has successfully constrcuted a good & complete intrusion detection
>solution (i.e monitoring, logging, real-time alarms, proactive monitoring,
>..)
Dan Esbensen and the folks at TTI have built what I consider to be
a very good intrusion detection system. It is capable of monitoring and
logging sessions, real-time and delayed playback of sessions, alarms with
various associated actions, etc. You can filter for specific textual
patterns in a flow or filter based on IP address or TCP port.
They've put the documentation online at
http://www.ttinet.com/doc/insa_v15_contents.html
The sell it as a bundled system. It runs under VMS on an Alpha which they
size based on the number of concurrent sessions you wish to monitor (I'm
not a fan of VMS, but the system is turn-key so you don't have to mess
with VMS unless you want to mung the log files generated by the system).
regards,
mb
--
Mark Boolootian
UC Santa Cruz
