Zen 2.0

Testing Network-based Intrusion Detection Signatures using Mutant Exploits

Applying Term Weight Techniques to Event Log Analysis for Intrusion Detection

On the Nature of Syslog Data

Bayesian Event Classification for Intrusion Detection

OsAudit version 0.1 is available for download.

OsAudit is a complete system for log gathering,
monitoring and analysis. It has two different running
modes: server and client.

For more information, go to:

http://www.ossec.net/osaudit/
http://osaudit.sourceforge.net
http://sourceforge.net/projects/osaudit/

For comments, suggetions or questions:
daniel.cid @ (at) gmail.com

Met some really kewl ppl at the RSA show the last couple of days. Saw many of my old collegues from Addamark, Cable & Wireless, and Exodus. Everyone’s walking the floor and chatting away.

Met Raffy Marty from ArcSight. He’s an SE over there. Seems like a really kewl guy. He’s started a mailing list on incidents handling and stuff. When I get more info I’ll post it here.

Met a friend of Raffy’s (sorry, forgot the name) from OVAL.Mitre.org. He’s working on this new standard on describing how to check for vulnerabilities on hosts. Currently they have many of the host-based vulnerabilities described in OVAL. Definitely worth checking out.

This year’s show seems to be much busier than the last couple of years. From what I hear, the show was sold out quite a while back, unlike a couple years ago where you can make a deal w/ RSA even a week before the show started. Hopefully that will indicated a great rooster year ahead.

I manned the LogLogic booth for two days and I must have had a dozen people came by to try to sell us stuff or partner w/ us. Dell, Precise Terms, EventGnosis, etc etc etc. A long list of them.

Just thought it was interesting.

So I was at RSA today talking to the various SEM/SIM vendors. I talked to one of the ladies at the ArcSight booth and I asked her whether ArcSight is a good solution for a company that’s got a bunch of Windows and UNIX servers and getting about 500 messages per second. The lady said several interesting things.

First, “we don’t play the numbers game.” I was actually told by High Tower to ask ArcSight this question coz High Tower kept saying ArcSight can’t handle the volume. I am not sure how to take it. Not sure if ArcSight can’t handle the volume or they just don’t want to measure their software that way.

Second, “we are not just a SIM vendor, we are in ESM. SIM’s just a component.” ESM being Enterprise Security Management. It’s ArcSight’s new marketing campaign but I am not sure what it exactly entails.

Third, she asked me “does the company have $1 BILLION in revenue?” I was like, what?! NO! She then said, “well, we really focus on LARGE enterprise customers with revenue over $1 BILLION. That company really should look at someone like LogLogic. They focus on the Global 2000 companies.”

I just thought these were interesting comments. Draw your own conclusions obviously.

From Schneier’s blog:

SHA-1 has been broken. Not a reduced-round version. Not a simplified version. The real thing.
The research team of Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu (mostly from Shandong University in China) have been quietly circulating a paper announcing their results

Definitely watch Schneier’s site for more information if you are interested.

More news…who’s reading news when they can be at RSA?!

ARCSIGHT Closes Record-Breaking Year, Welcomes 100th Customer
PR Newswire (press release) - USA
15 /PRNewswire/ — ArcSight, Inc., the global leader in Enterprise Security
Management (ESM), today announced that it has surpassed 100 customers,
driving …

GUARDEDNET(R) First to Enable Automated, Proactive Policy …
PR Newswire (press release) - USA
15 /PRNewswire/ — [...]

Seems like everyone’s trying to come out w/ some big news this RSA week.

LOGLOGIC’S VP of Product Management to Present at RSA Security …
Business Wire (press release) - San Francisco,CA,USA
This presentation will address one of the fastest growing issues in IT:
“log analysis.” During the session, the panel will discuss relevant topics
surrounding …

GUARDEDNET(R) Launches Latest [...]

Greg Shipley has done a review for GuardedNet’s neuSecure product.

Security information management offerings are in mid evolution. One such work in progress, GuardedNet’s neuSecure, is a SIM platform worth watching. I tested an early beta of neuSecure 3.0 and found that, though it’s rough around the edges, it’s a clear step up from version 2.0.

What’s [...]

Logreport.org has some really good information on email log formats. Check it out.

Sendmail
Postfix
Exchange