[684] in Intrusion Detection Systems
Re: I need IDS papers !!
daemon@ATHENA.MIT.EDU (mdr@vodka.sse.att.com)
Wed Mar 27 07:17:14 1996
From: mdr@vodka.sse.att.com
To: ids@uow.edu.au
Date: Mon, 25 Mar 1996 09:11:57 -0500 (EST)
In-Reply-To: <9603232024.AB16850@ritsec2> from "Hatem Ahmed El-Manawy" at Mar 23
, 96 08:24:59 pm
X-Mailer: ELM [version 2.4 PL23-upenn2.7]
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII
Sender: owner-ids
Precedence: bulk
Reply-To: ids
>
> Hi Every body,
>
> This is Hatem El-Manawy. I'm a post-graduate student in Cairo Universi
ty
> Faculty of Engineering. I'm studying intrusion detection systems ( both
> host-based & network-based ) .
>
> I'm having some difficulties concerning having information about intru
si
> on
> detection. Would you please send me any papers or information about
> intrusion detection.
>
> Thank you.
>
> Hatem El-Manawy
>
> PS
> Please send it on this e-mail:
>
> hmanawy@ritsec2.com.eg
>
Since I received so many request for the results of my query I decided
to reply to the general list:
Many Thanks again to those who responed.
====================================================================
Hi,
> On Mon, 22 Jan 1996, Fred Cohen wrote:
> I do know DIDS. It is not a commercial product and is not generally
> available. It does an admirable job, but it is resource intensive (cpu
> cycles, disk space, and operator and analyst time). Even if it were
> available, it would not be a solution for very many sites.
How does one obtain it?
> However, Phillipe Langlois
> mentioned one developed in France. Perhaps he could summarize this
> product for our edification??
IDERS is a product (under permanent improvement) which collects data from
numerous probes at various subsystem (network, file system, process use,
commands, data contained in files...). The probes report data to a central
program which try to make clear and understandable reports.
It tries to detect fuzzy attack which are not often detected with
normal tools).
IDERS is a commercial _service_, it's not sold but installed for our clients
as a tool for our security service.
PhiL.
--
Philippe Langlois
INTRINsec - Securite informatique
Philippe.Langlois@INTRINsec.com - http://www.INTRINsec.com
====================================================================
From: "Lisa M. Jaworski" <lisaj@tis.com>
Content-Type: text
Content-Length: 339
Status: RO
Mark,
I just received info from SAIC regarding its intrusion detection
product. It's called CMDS (Computer Misuse Detection System) &
the POC is Paul Proctor (proctor@mls.saic.com). The marketing
literature comes with a slew of paperwork, including a paper on
audit recuction & misuse detection in heterogeneous environments.
Lisa J.
====================================================================
From: Mark_W_Loveless@smtp.bnr.com
Message-Id: <9600298229.AA822944324@smtp.bnr.com>
To: mark.riggins@att.com
Subject: Re: intrusion detection
Content-Type: text
Content-Length: 1229
Status: RO
Try the alt.2600 FAQ via anon ftp at
rtfm.mit.edu /pub/usenet-by-group/alt.2600
There is a fairly complete list of hacker hangouts, security
newsgroups, mailing lists, and a ton of web links (assuming the latest
version is out there, it was recently updated in the last couple of
months).
Bear in mind it is written from the perspective of the guys you want
to keep out of your system.
====================================================================
From: Alan Dowd <dowd@sctc.com>
To: mark.riggins@att.com
Subject: Re: intrusion detection
In-Reply-To: <9601252031.AA04494@ig1.att.att.com>
Message-Id: <Pine.SUN.3.91.960129085436.1087B-100000@mario.sctc.com>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Content-Length: 1391
Status: RO
Greetings, Mark!
The obvious, obvious is Fred Cohen's web site. One may not like the
way he posts, but he does do a lot of consulting work on intrusion
detection/prevention. I don't have his URL handy, but he writes to
Best of Security and posts the URL in his sig block.
Other obvious, obvious is NCSA - the security folk at www.ncsa.com,
not the super-computer folk.
There is a list of maillists at http://www.iss.net/iss/maillist.html -
Intruder Detection is described there.
Good Luck,
--
Alan Dowd Phone: +1 612 628 1641
Secure Computing Corporation FAX: +1 612 628 2701
2675 Long Lake Road URL: http://www.sctc.com
Roseville, MN 55113-2536 E-Mail: dowd@sctc.com
--
====================================================================
From: "Lisa M. Jaworski" <lisaj@tis.com>
Content-Type: text
Content-Length: 319
Status: RO
Mark,
Are you familiar with the work that Teresa Lunt was doing when she
was at SRI? She is now a Program Mgr at ARPA (try lunt@arpa.gov but
I'm not sure if that's right.) Also, Christopher Klaus cklaus@iss.net.
SAIC has a product out now, too. Check out their web pages for more
info & a POC.
Take care,
Lisa J.
====================================================================
From: Torsten Sturm <tnsturm@cip.informatik.uni-erlangen.de>
Organization: CSD, Univ. Erlangen-Nuernberg, Germany
X-Mailer: Mozilla 2.0b5 (X11; I; SunOS 4.1.3 sun4m)
Mime-Version: 1.0
To: mark.riggins@att.com
Original-Cc: firewalls@greatcircle.com
Subject: Re: intrusion detection
References: <9601252031.AA04494@ig1.att.att.com>
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk
Content-Type: text/plain; charset=us-ascii
Content-Length: 1034
Status: RO
The COAST Projects are somewhat dedicatied to various flavours of
intrusion detection and are always a good starting point !
http://www.cs.purdue.edu/coast/coast-tools.html
HTH, Torsten
--
InfoSec webpage :
http://www.rrze.uni-erlangen.de/~unrzg3/security/security.html
__________________________________________________________________
http://wwwcip.informatik.uni-erlangen.de/user/tnsturm/index.html
====================================================================
From: Torsten Sturm <tnsturm@cip.informatik.uni-erlangen.de>
Organization: CSD, Univ. Erlangen-Nuernberg, Germany
X-Mailer: Mozilla 2.0b5 (X11; I; SunOS 4.1.3 sun4m)
Mime-Version: 1.0
To: mark.riggins@att.com
Original-Cc: firewalls@greatcircle.com
Subject: Re: intrusion detection
References: <9601252031.AA04494@ig1.att.att.com>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii
Content-Length: 1034
Status: RO
The COAST Projects are somewhat dedicatied to various flavours of
intrusion detection and are always a good starting point !
http://www.cs.purdue.edu/coast/coast-tools.html
HTH, Torsten
--
InfoSec webpage :
http://www.rrze.uni-erlangen.de/~unrzg3/security/security.html
__________________________________________________________________
http://wwwcip.informatik.uni-erlangen.de/user/tnsturm/index.html
====================================================================
From: Darren Reed <avalon@coombs.anu.edu.au>
Subject: Re: intrusion detection
To: mdr@vodka.sse.att.com
Date: Mon, 29 Jan 1996 21:19:39 +1100 (EDT)
In-Reply-To: <9601261408.AA24513@ig2.att.att.com> from "mdr@vodka.sse.att.com" a
t Jan 26, 96 09:09:02 am
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Content-Length: 1042
Status: RO
In some mail from mdr@vodka.sse.att.com, sie said:
>
> Do you have reach info for Omniguard?
not handy, but will see what I can do.
> > Omniguard distribute a suite of programs on a single CD-ROM, one of which
> > is supposedly an intrusion detection program. I say supposedly because
> > I've not had a valid license key to do anything useful with it.
> >
> > darren
> >
====================================================================
From: Jordan Hayes <jordan@Thinkbank.COM>
Message-Id: <199601262322.PAA25215@Thinkbank.COM>
To: mdr@vodka.sse.att.com
Subject: Re: intrusion detection
Content-Type: text
Content-Length: 356
Status: RO
From: mdr@vodka.sse.att.com
Subject: Re: intrusion detection
To: jordan@thinkbank.com (Jordan Hayes)
Do you have a reach number or email address or something to help me
reach them?
>
> There's a group at UC Davis doing this. Jeremy Frank is one of the
> people involved.
>
> /jordan
>
Try Jeremy Frank <frank@cs.ucdavis.edu> ...
/jordan
====================================================================
From: Adam Shostack <adam@bwh.harvard.edu>
X-Organization: Brigham & Womens Hospital, A Teaching Affiliate of Harvard Medic
al School
Message-Id: <199601262115.QAA17839@bwface.bwh.harvard.edu>
Subject: Re: intrusion detection
To: mark.riggins@att.com
Date: Fri, 26 Jan 1996 16:15:09 -0500 (EST)
In-Reply-To: <9601252031.AA04494@ig1.att.att.com> from "mdr@vodka.sse.att.com" a
t Jan 25, 96 03:34:09 pm
X-Pgp: 0xE794DA91 FD3C3450FEB4A0B8 18F2E72CA82D29B8
X-Mailer: ELM [version 2.4 PL24]
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII
Content-Length: 745
Status: RO
Some of Spaf's students at COAST have papers.
Adam
====================================================================
From: gilsinn@cam.nist.gov (Judith F Gilsinn)
Message-Id: <9601261446.AA00755@trumpet.cam.nist.gov>
To: mdr@vodka.sse.att.com
Subject: Intrusion detection mailing list
Content-Type: text
Content-Length: 281
Status: RO
I have a year old reference to an intrusion detection mailing list. Send
mail to majordomo@uow.edu.au with subscribe ids in the message body.
Since I don't subscribe to this list, I don't know its status, but you might
want to try it.
Judy Gilsinn
NIST Computer Security Officer
====================================================================
From: "Steve Lodin" <swlodin@cs.purdue.edu>
Message-Id: <9601260941.ZM29056@narnia.cs.purdue.edu>
Date: Fri, 26 Jan 1996 09:41:24 -0500
In-Reply-To: Darren Reed <avalon@coombs.anu.edu.au>
"Re: intrusion detection" (Jan 26, 4:41pm)
References: <199601260541.VAA07236@miles.greatcircle.com>
On Jan 26, 4:41pm, Darren Reed wrote:
>
> Omniguard distribute a suite of programs on a single CD-ROM, one of which
> is supposedly an intrusion detection program. I say supposedly because
> I've not had a valid license key to do anything useful with it.
>
If you are talking about the Axent Omniguard suite of tools, there is a product
called Intruder Alert (ITA). I just installed a temporary license for the
COAST lab the other day. It looks like a simple syslog watcher from my limited
experience with it.
Steve
--
Steve Lodin
Purdue - swlodin@cs.purdue.edu http://www.cs.purdue.edu/people/swlodin
Delco Electronics - swlodin@delcoelect.com (317)451-0479
Home - swlodin@iquest.net http://www.iquest.net/~swlodin/
====================================================================
From: stevenf@goodnet.com (Steven Fullmer)
Subject: Re: intrusion detection
Content-Type: text/plain; charset="us-ascii"
Content-Length: 780
Status: RO
CommerceNet at http://www.commerce.net has an electronic jump station. Go
to the "security" section and use it as a jumping off point. **was a godd
start when I wrote the page 5 months ago???***
====================================================================
From: Jody C Patilla <jcp@tis.com>
Message-Id: <9601261407.AA00883@tis.com>
Subject: Re: intrusion detection
I have a paper here on my desk which outlines a rule-based approach to
intrusion detection. It's eventually going to be published by the IEEE,
although I received it from one of the authors, Phil Porras. Drop him a
line at porras@aero.org for more information.
- jcp
=========================================================================
From: K.T.Khoo@iti.salford.ac.uk
Date: 26 Jan 96 13:55
Hi,
I am a PhD student working on IT security, esp. on PKI, although my interest is
on intrusion detection . . . .
You may find quite some good papers on the said topic, esp. 'An Application of
Pattern Matching in Intrusion Detection' from:
http://www.cs.purdue.edu//coast/coast-library.html
Do keep in touch. Cheers!
Vincent Khoo
====================================================================
From: Carolina Elortegui <celort@kuma.ciens.ucv.ve>
Subject: intruder and more
Hi Mark, I've read your message in the firewalls list.
I'm working in my thessis (the work you have to do here to graduate in
Computer Science), is an investigation work that takes at least a year,
and then, you have to explain the juge (sorry if is not the correct term)
what did you do, why, how, etc.
I'm working in UNIX Security, and I'm interesting for the last part of my
work, about intruder detection and some intrussion cases of the real
life. I don't have so much material, but I've found a paper called:
Computer Break-Ins (something like that)
Intruder Detection in your UNIX System
and some others. If you are interested, I can send you a list of what I
have, and if you need something, I can tell you how to download it from
this computer by an anonymous FTP.
If you have something about UNIX Security, how to improve Security
specially Access Security, Network Security, and Break-ins I will
apreciatte it from you.
I also work as SysAdmin in a UNIX installation, and I'm trying to improve
the Security here. I had some problems about a break-in I detect, but I
solved it. I'm trying to aplly all I lear in these systems.
Hope you Reply soon
Cary
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Carolina Elortegui Laboratorio de Postgrado
Universidad Central de Venezuela Administrador
Facultad de Ciencias
Escuela de Computacion E-mail: celort@kuma.ciens.ucv.ve
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
====================================================================
From: Darren Reed <avalon@coombs.anu.edu.au>
Subject: Re: intrusion detection
Omniguard distribute a suite of programs on a single CD-ROM, one of which
is supposedly an intrusion detection program. I say supposedly because
I've not had a valid license key to do anything useful with it.
darren
====================================================================
From: Ron DuFresne <dufresne@winternet.com>
To: mdr@vodka.sse.att.com
Mark,
You prolly have already done so, but you can do a web search on 'mitnick'
and come up with tons of info, don't expect much from yahoo, but lycos
will keep you busy for a full day at least. And not all the info is
mitnick oriented. Also, you may wish to exchange some private mails with
Ray Kaplan fromt eh list here, he has some very good insites as to this
perspective.
In the same token, I would be interested in seeing the 'workbench' you
are able to piece together.
Thanks, my best to you and yours,
Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
====================================================================
From: garland@gatekeeper.cb.att.com
To: mark.riggins@att.com
Hi Mark,
Intrusion detection... here are a few quick notes.
These are all public domain. more details available upon request, including
URLs. sorry for the terse message. I am on an rather convoluted
link, that includes dialup from a hotel, ppp, an Internet connection,
and a GUARD connection into AT&T.
COPS by Dan Farmer is a reasonable system scanner. tiger is another similar
tool.
tripwire, with md5, and binaudit scan for changes to the file system.
swatch is a tool that analyzes log files.
There are a few other tools that scan a system from the outside. They are
basically portscanners, with some intelligence build in. ISS, nfsbug,
SATAN are examples.
Chris
====================================================================
From: swlodin@cs.purdue.edu (Steve Lodin)
Message-Id: <199601260243.VAA27520@narnia.cs.purdue.edu>
Subject: Re: intrusion detection
This may be obvious, but have you checked the COAST Archive? I know we
have about 5 IDS papers there. Check the COAST Web page also
(http://www.cs.purdue.edu/coast) because the group is working on a
project called IDIOT (Intrusion Detecion In Our Time). Alternatively,
there has been much IDS research at UC Davis.
Steve
--
Steve Lodin
Purdue - swlodin@cs.purdue.edu http://www.cs.purdue.edu/people/swlodin
Delco Electronics - swlodin@delcoelect.com (317)451-0479
Home - swlodin@iquest.net http://www.iquest.net/~swlodin/
====================================================================
From: Jordan Hayes <jordan@Thinkbank.COM>
Message-Id: <199601260153.RAA15092@Thinkbank.COM>
To: mdr@vodka.sse.att.com
Subject: Re: intrusion detection
Content-Type: text
Content-Length: 94
Status: RO
There's a group at UC Davis doing this. Jeremy Frank is one of the
people involved.
/jordan
====================================================================
Have you tried looking at the ids list?
ids@uow.edu.au
(use the -request form to subscribe).
Ben.
____
Ben Samman..............................................samman@cs.yale.edu
"If what Proust says is true, that happiness is the absence of fever, then
I will never know happiness. For I am possessed by a fever for knowledge,
experience, and creation." -Anais Nin
PGP Encrypted Mail Welcomed Finger samman@powered.cs.yale.edu for key
Want to give a soon-to-be college grad a job? Mail me for a resume
====================================================================
From: Jim Cannady <james.cannady@gtri.gatech.edu>
Subject: Re: Network Intrusions
Content-Type: text/plain; charset="us-ascii"
Content-Length: 2022
Status: RO
Hi Mark,
Yeah, I got more reference material than my desk can stand at the moment!!
I've
been collecting this stuff for the past couple of years, and I'm sure that I've
got close to everything that's been published on the topic in a refereed
journal.
Let me know your specifics and I'll see what I can find.
Jim
>> ==================================
>> James Cannady |
>> Research Scientist |
>> Georgia Institute of Technology |
>> GTRI/ITL/CSITD |
>> James.Cannady@gtri.gatech.edu |
>> (404) 894-9730 |
>> ==================================
====================================================================
From: jim@SmallWorks.COM (Jim Thompson)
Message-Id: <9511292047.AA10059@hosaka.smallworks.com>
To: cibir@netcom.com
Subject: Re: Intruder & Analysis Software
Cc: firewalls@greatcircle.com
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk
Content-Type: text
Content-Length: 47
Status: RO
'Stalker' from Haystack Labs, in Austin, TX
====================================================================
Information Week is a good one. Check out back issues. Usenix
Proceddings, webpages... check out my web page
www.ticllc.net/~scrtnizr
Click on the blue section of the brain (you must have a Netscape that
supports client-side image maps) or click on "hackhot" on the bottom of
the page. Then go to the "Misc." and "Security" pages. I believe that I
have links to several hacker's pages there. Don't know what kind of info
they all contain though, as I have not visited some of these sites in a
while.
Newsgroups... nada. alt.2600 is juvenile, and the alt.security hierarchy
is getting that way. I stopped reading those a LOONG time ago.
Mailing lists. Perhaps Cypherpunks. No one is really going to tell
about their exploits, at least no one who is smart enough. Also try
things such as Phrack (ftp.fc.com) Computer Underground Digest (CUD),
and CotNO (try ftp.ezine.com for Communications of the New Order).
> Also, I would like to collect information from various hacker
> exploits. Does anybody have a good hackers workbench?
Best thing to do is get a collection of 8lgm scripts, and look around
places for security or hack directories.
Try places like l0pht.com, 2600.com, fc.com, and many others. Try
getting the 2600-FAQ from rtfm.mit.edu for a list of webspaces, ftp
sites, etc. at the end.
Hope this helps some,
Brain21
