Program Manufacturer O/S Program Type Web Site Program Description COTS or GOTS Network or Host Based
AID (Adaptive Intrusion Detection system) Michael Sobirey, Birk Richter UNIX Rules Based AID has a client-server architecture consisting of a central monitoring station and several agents (servers) on the monitored hosts. The agents take the audit data that were collected by the local audit functions and convert them into an operating system independent data format. The audit data is then transferred to the central monitoring station and analyzed by an Rtworks based real-time expert system. The security officer can access relevant monitoring capabilities and generate security reports via a graphical user interface. The prototype AID supports Solaris 2.X. N/A Multihost
AIMS US Army UNIX unknown Not Available The Automated Intrusion Monitoring System - has been in development since June 1995 for the US Army and is intended to provide local and "theater-level" monitoring of computer attacks. The system is currently installed at the Army's 5th Signal Command in Worms, Germany and will be used to monitor Army computers scattered throughout Europe. N/A ?
ALVA Abha Moitra, General Electric Solaris Statistical Audit Log Viewer and Analyzer tool - is a real-time tool for detecting potential security violations in UNIX audit logs. The system gains some level of platform independence by analyzing command logs that are precomputed from the system audit logs. A command log is a record of the user initiated commands and is reconstructed from the system call events recorded in the audit log. A simple profile based on command, success/failure, frequency of occurrence, and the domain of the target files is used to define a baseline of normal behavior for each user. A single penalty value is kept for each user, and when the user crosses a predefined threshold, ALVA reacts by contacting the security administrator and increasing the auditing level for the user. ALVA was developed to run on a C2 security level environment. N/A Host
ASAX Abdelaziz Mounji Unix, Solaris 2.x. Rules Based A package that allows you to analyze any form of Audit Trail by customizing the format description of your trail. Analyzing substantial amounts of data and extracting relevant information out of huge sequential files has always been a nightmare. Using highly sophisticated and powerful algorithms, ASAX tremendously simplifies the intelligent analysis of sequential files. ASAX's real power is unleashed by deploying its embedded, easy to use rule based language RUSSEL. Download from Coast FTP site at - N/A Host
ASIM AFIWC and Trident Systems Solaris 2.5 Rules Based Not Available Automated Security Incident Measurement. Monitors network traffic and collects information on targeted unit networks by detecting unauthorized network activity. The ASIM real-time alarming capability is implemented using a pop-up window under the X Window System. ASIM can also detect one Network Layer activity: SATAN scans. GOTS
Autonomous Agents for Intrusion Detection COAST Lab, Purdue Univ. UNIX, Solaris 2.x Current project being worked on at COAST by Mark Crosbie and Eugene Spafford. It is available to COAST sponsors. Contact COAST for further details. N/A Multihost
CMDS SAIC Solaris 2.5, HP/UX, DG/UX, AIX Rules Based Computer Misuse Detection System - Real-time audit reduction and alerting system. Uses an expert system and statistical profiling to analyze audit records. Uses attack signatures, both core and customized. One CMDS Analyst Toolkit is required for every 300 targets (workstations). COTS Multihost
ComputerWatch AT&T Bell Labs System V/MLS Rules Based The ComputerWatch Audit Trail Analysis Tool was developed by the Secure Systems Department at AT&T Bell Laboratories. The tool provides audit trail data reduction and limited intrusion detection capability. It is designed to assist the system security officer by reducing the amount of data that he/she views without the loss of any informational content. COTS Host
CSM (Cooperating Security Manager) Gregory White, Eric Fisch, Udo Pooch UNIX Rules Based, Statistical Not Available The Cooperating Security Manager (CSM) is an intrusion detection system designed to be used in a distributed network environment. Developed at Texas A&M, this system runs on UNIX based systems connected to any size network. The goal of CSMs is to provide a system that can detect intrusive activity in a distributed environment without the use of a centralized director. A system with a central director coordinating all activity severely limits the size of the network. Instead of reporting significant network activity to a central director, the CSMs communicate among themselves to cooperatively detect anomalous activity. N/A Network
Cybercop Network General Corp. System comes with Server and Sensors Rules Based Network based, anomaly and misuse detection using real-time surveillance of network traffic. Recognizes over 170 kinds of network and host-based intrusions. System was designed with the help of WheelGroup developers of NetRanger. COTS Network
DIDS (Distributed Intrusion Detection System) University of California, Davis, LLNL SunOS 4.1.1. or later Rules Based, Statistical The risk intrusion detection system that aggregates audit reports from a collection of hosts on a single network. Unique to DIDS is its ability to track a user as he establishes connections across the network. Possibly only available to U.S. AirForce. N/A Network
Discovery TRW Information Services Unknown Statistical Not Available Discovery searches for frequently occurring customer service access patterns to develop a "user profile" of customer inquiries. Daily customer inquiries are analyzed for error-free-inquiries, which are compared with the established customer profiles. Records which fall within acceptable bounds (using a weighted algorithm) are dropped from further processing, all records outside these bounds are recorded for further processing, and an error rejection message is displayed. Utilizes a self-learning, data driven expert system for pattern recognition. Capable of reviewing 400,000 inquires per day, from a potential base of 120,000 customer access codes. N/A Host
Emerald SRI International unavailable Rules Based Monitors large distributed systems and networks. Is intended to detect local attacks and coordinated attacks such as distributed denials of service or repeated patterns of attack. Uses highly distributed, independently tunable, surveillance and response monitors that are deployable polymorphically at various abstract layers in a large network. Funding support for this research provided by DARPA. Emerald will be the successor system to NIDES. COTS Network
eNTrax Cenrax Corp. NT Rules Based ENTRAX is the first comprehensive security detection and response product focused on the Windows NT centered information enterprise. Similar to the motion detectors and video cameras connected to a warehouse's central guard station, ENTRAX monitors, detects, and responds to attacks on the corporate enterprise and/or potential misuse of the valuable information assets it maintains. ENTRAX can detect specific misuse on your network through event log analysis, periodic configuration assessment, and configuration compliance. Misuse patterns (also known as attack signatures), statistical trending profiles, and profile deviations are used to alert you to many types of intrusion. Attack signatures include:

Attack anticipation
Log-in violations
Hacker attempts
Browsing of files
File access violations
Privilege abuse
Flight Jacket Anzen Solaris, BSD Rules Based The Anzen Flight Jacket Base NFR(TM) Network Monitoring System is an integrated software package containing the Network Flight Recorder (NFR) network monitoring enabling technology, secure server and client software from DataFellows, and BSDI operating system security enhancements.

Included in the current base release are a set of pre-programmed NFR packages for network monitoring, operational analysis, and intrusion detection.
COTS Network
GrIDS UC Davis Unix Rules Based Graphic Intrusion Detection System - GrIDS is designed to detect large-scale automated attacks on networked systems. In development, funded by ARPA. N/A Network
GUARDIAN DataLynx Inc. Most UNIX platforms
http://www GUARDIAN has rapidly become the de facto standard in UNIX account and access control software, supporting most popular versions of UNIX with a common and intuitive interface across all platforms. GUARDIAN's features include a Motif-based GUI coupled with on-line help for creating and maintaining user accounts. GUARDIAN provides multi-tiered assignment of security privileges by allowing the system administrator to grant password change authority to a designated password manager. Similarly, GUARDIAN permits the system administrator to selectively grant 'security manager' and 'network manager' privileges to specified accounts for executing the GUARDIAN menu programs and updating accounts on remote hosts or domains. COTS
ID-Trak Internet Tools, Inc. Win NT Rules Based ID-Trak is an advanced network-based intrusion detection system developed to enterprise specific mission-critical resources from internal or external intruders. A patent pending technique called Stateful Dynamic Signature Inspection (SDSI) is employed to monitor attack signatures. A knowledge base of over 200 attack signatures is currently distributed with ID-Trak. New attack signatures can be added to the knowledge base in real-time. Attack signatures can be customized in real-time also. COTS Network
IDIOT Purdue University unknown Rules Based Intrusion Detection In Our Time - A demonstration implementation or IDIOT is available under a no-cost, limited-use license. Contact N/A Host
INTOUCH INSA Network Security Agent Touch Technologies, Inc. N/A Rules Based, Anomaly This is a complete package. A turn-key system is delivered including a high-speed 64-bit RISC system. It is a network surveillance security tool that continuously scans user sessions for noteworthy or suspicious activity. The system reads all network packets, reconstructs all user activity, and scans the activity for possible computer-use policy violations. This system is basically a network sniffer. COTS Network
Intruder Alert 3.1 Axent Technologies Win NT, UNIX Rules Based Intruder Alert 3.x (Intruder Alert) is a real-time, rule-based, centralized host detection system, which monitors audit trails throughout distributed computing platforms. Currently serving at facilities included in the Fortune 1000, Intruder Alert detects potentially hostile or anomalous "footprints" left behind in the audit trails, and classifies and responds to those footprints, based on the rules configured by security administrators. Intruder Alert detects intruders by rule or by exception. Intruder Alert is a rules engine, it processes the inputs it receives based on rules applied to the systems it is monitoring. Some rules may be designed to look at a specific sequence of events, called "footprints." If a particular footprint is detected, Intruder Alert can be programmed to respond, send notifications, and in some cases, fend off the attack prior to any extensive damage from occurring. COTS Host
ISOA (Information Security Officer's Assistant) Planning Research Corp. unknown Rules Based, Anomaly Not Available PRC's Information Security Officer's Assistant (ISOA) is a state-of-the-art system for monitoring security relevant behavior in computer networks. The ISOA serves as the central point for real-time collection and analysis of audit information. When an anomalous situation is identified, associated indicators are triggered. The ISOA automates analysis of audit trails, allowing indications and warnings of security threats to be generated in a timely manner so that threats can be countered. ISOA allows a single designated workstation to perform automated security monitoring, analysis, and warning. N/A Multihost
JIDS Lawrence Livermore National Lab

Not Available Joint Intrusion Detection System - JIDS is a project that combines the best features from NSM (Network Security Monitor) and ASIM (Automated Security Incident Measure). Although differences exist between the three systems, they have substantially the same capabilities. JIDS can detect three Network Layer attacks: SATAN scans, TCP SYN attacks, and IP port scanning. JIDS has both command line and X user interfaces. Configuration is accomplished by editing files with a Unix editor.

Kane Security Monitor Intrusion Detection, Inc. Windows NT, Novell NetWare Rules Based Analyzes the network to provide an average baseline. Compares activity to baseline and notifies on out of normal activity. Also uses rule based for known attacks including denial of service. COTS Network
NADIR Los Alamos National Labs Unix-based Rules Based Network Anomaly Detection and Intrusion Reporter - NADIR is a rules-based expert system that automatically detects intrusion attempts and other security anomalies on its large supercomputer network. Large computing networks generate huge logs of security relevant activity. Analysis and correlation of significant incidents is impossible using manual techniques. NADIR is an application designed to automate the detection of security incidents. A client-server model is used, with Unix-based workstations running Sybase. This technology is currently being applied for fraud detection in electronic tax return filing for the IRS. It is also successfully being applied in the commercial sector to aid in credit card fraud detection. GOTS Host
NetRanger Wheelgroup Corp. Solaris 2.5.1 Rules Based NetRanger provides large-scale, real-time network security visibility for an enterprise. The system consists of two elements: the NetRanger Sensor, located at network connection to be monitored, and a NetRanger Director, which is centrally located. Provides real-time reactions to an attack or real-time alarm. NetRanger Sensor stations require Pentium Pro 200 with Solaris x86, or UltraSPARC running Solaris v.2.5.1. Director Stations should be HP 725/100 or SunUltra machines. HP OpenView and Oracle licenses strongly recommended. COTS Network
NetStalker Haystack Labs, Inc. Unknown Rules Based NetStalker is a real-time analysis program that identifies network attacks and attempts to exploit protocol vulnerabilities. NetStalker does this by comparing information gathered from router event reports against Haystack Labs' extensive misuse signature database. When it detects a security breach, it immediately closes the connection from the offending host and alerts the system administrator via pager, SNMP, or email. COTS Network
NID Lawrence Livermore National Lab Solaris 2.5.1, SunOS 4.1.3, HP-UX Rules Based, Anomaly Network Intrusion Detector - NID is a suite of software tools that help detect, analyze, and gather evidence of intrusive behavior on Ethernet and FDDI networks using the Internet Protocol (IP). NID is directly connected to the local area network. It collects packets or statistics that cross a user-defined security domain. NID uses attack signature recognition, anomaly detection, and vulnerability risk model. NID is freely available to all U.S. Government Agencies and to contractors supporting the U.S. Department of Defense and Energy. NID v. 2.0.1 was released 5 Dec, 1997. GOTS Network
NIDES SRI International SunOS Rules Based, Anomaly Next-Generation Intrusion Detection Expert System - Comprehensive intrusion-detection system that performs real-time monitoring of user activity on a set of target system computers. It's rulebase is customizable. Can run in either real-time or in batch mode for batch analysis of audit data. COTS Multihost
OmniGuard/ITA Axent Technologies, Inc Sun, MS, HP, IBM, Novel, Digital Rules Based, Anomaly OmniGuard/ITA (Intruder Alert) is used to detect intruders or abuse by analyzing data from the operating systems it supports. ITA is a rules engine. ITA not only looks at log files but can also monitor SNMP traps from other applications. ITA can also monitor file level accesses. COTS Multihost
PolyCenter Security ID DEC OpenVMS, Digital Unix, SunOS, Ultrix Rules Based Polycenter Security Intrusion Detection is a tool for detecting intrusions. Intrusions can range from copying a sensitive file over the network to password guessing. Polycenter continuously monitors a system for intrusions and stops intruders in their tracks. You can set up Polycenter to detect a wide range of security events including break-in attempts, execution of unauthorized privileged programs, and network file transfers. COTS Host
RealSecure ISS SunOS, Solaris, Linux, NT Rules based RealSecure is an automated, real-time attack recognition and response system for your network. RealSecure acts like a sniffer, unobtrusively analyzing packets of information as they travel across the network. RealSecure is a distributed architecture lets you install attack monitor engines throughout your enterprise network, so you can see and stop attacks from inside as well as outside the network perimeter. COTS Network
SAINT National Autonomous Univ., Mexico N/A Rules Based SAINT (Security Analysis Integration Tool) - is a data analysis tool that can be used as a simple intrusion detection system to increase security on a UNIX system. By collecting data from many different sources into a single place, the tool allows for integrated analysis of the data for detection of problems that may otherwise go undiscovered. After SAINT homogenizes the data into a common data format, the events are analyzed to detect relationships that may indicate possible problems. The current version of SAINT produces all reports in Spanish. N/A Unknown
SecureNet PRO MimeStar, Inc. unavailable Rules Based http://www.MimeStar.Com/secmain.htm SecureNet PRO is a complete network security system, monitoring your network. It is the only system available that combines several key technologies, including session monitoring, firewalling, hijacking, and keyword-based intrusion detection. SecureNet PRO uses a technique known as TCP hijacking. Hijacking allows the administrator to instantly seize the connection of any user on his local area network. It also is one of the only products that offers automatic keystroke monitoring of all connections passing through the network. COTS Network
Session Wall-3 AbirNet Inc. Windows 95/98, NT 4.0/5 Rules Based SessionWall-3 Release 3 (V1R3) is designed to be used as a standalone or complementary product. It includes a world-class intrusion detection and service denial attack detection engine, an extensive URL control list of more than 200,000 categorized sites, a world-class Java/ActiveX malicious applet detection engine as well as a virus detection engine. It complements all popular "firewalls" to extend application-specific protection, provide intrsion detection, and audit the current settings. SessionWall-3 also interfaces with FireWall-1 using the OPSEC interface.
SessionWall-3 continues to set the pace for comprehensive, yet easy to use network protection solutions. SessionWall-3 provides the surveillance, intelligence, controls, and interfaces required to protect a company's networks from both external and internal intrusion and abuses. SessionWall-3 achieves these capabilities by a combination of very sophisticated network surveillance, scanning, blocking, detection, response, logging, alerting and reporting capabilities into an easy to use integrated package.
SessionWall-3 can be installed on any network attached Windows 95/98 or NT 4.0/5 machine and can process the network traffic from one or more Ethernet, Token Ring and FDDI local network segments.
COTS Network
SHADOW SANS (Stephen Northcutt) UNIX SHADOW which stands for SANS's Heuristic Analysis System for Defensive Online Warfare was developed by the SANS Institute, the Naval Surface Warfare Center, The Lawrence Berkeley Research Center, and the US Department of Energy. The system requires SSH and Apache Web Server. The system is based on tcpdump. N/A Network
Stake Out Harris Computer Corp. Solaris Rules Based Stake Out is an intelligent agent designed to monitor TCP/IP based networks for suspicious behavior. It provides the ability to monitor a networks segment from a single location providing alert and logging capabilities for all systems attached. COTS Network
Stalker Haystack Labs SunOS, IBM, SCO, HP Rules Based Designed to detect and respond to UNIX system misuse. Compares logs of system activities against its database. A misuse detector analyzes the audit trail data looking for events that correspond to known attack techniques or known system vulnerabilities. A querying and reporting facility reduces the volume of audit trail data to find only the audit records of interests. The collection and storage of audit trails from multiple UNIX systems is managed on a single server by an audit control and storage manager. COTS Host
Swatch Stanford University UNIX Rules Based Not Available Swatch (Simple WATCHer) is a program for UNIX system logging and management developed at the Electrical Engineering Computer Facility at Stanford University by Stephen Hansen and Todd Atkins. Swatch was designed to keep system administrators from being overwhelmed by large quantities of log data. It monitors log files and acts to filter out unwanted data and take one or more simple user specified actions based up patterns in the log. Swatch can monitor information as it is being appended to the log file and alert system administrators immediately to serious system problems as they occur. N/A Multihost
T-sight En Garde Systems Inc. Windows 95/NT Rules Based, Anomoly T-sight allows you to conduct real-time monitoring of all active connections and their subsequent transactions for IP protocols. Version 1.0 will be able to interpret and alarm connections for telnet, rlogin, ftp, smtp, rsh, and http. It allows playback of previous sessions. There are five detailed viewing options. Real time playback presents a real time view of the connection data as it would appear over a VT100 window. VCR playback is the same as above, but allows the user to rewind, fast forward, or pause the connection playback. Server view presents the data from the server's point of view while the Client view displays it from the client's view. Finally the packet dump display shows packet headers and flags as well as the hex dump of the packet data. A beta/demo of this program is available for download from the site. COTS Network
Tripwire IDS 1.5 Visual Computing Corp UNIX, LINUX, NT None available. Still in Beta testing COTS
UNICORN (Unicos Realtime NADIR) Los Alamos National Laboratory UNIX Rules Based UNICORN is an expansion on the NADIR project. Unicorn will accept audit logs from Unicos (Cray Unix), Kerberos, and common file systems, then analyze them and attempt to detect intruders in real-time. Because Unicorn was designed for Kerberos and UNIX, the design can be applied to many other network configurations. Unicorn was presented at Supercomputing '95 in San Diego, CA.
USTAT (State Transition Analysis Tool for UNIX) Univ. of California, Santa Barbara UNIX Rules Based USTAT is the first prototype of the STAT model, in particular for SunOS 4.1.1. USTAT makes use of the audit trails that are collected by the C2 Base Security Module of SunOS and it keeps track of only those critical actions that must occur for the successful completion of the penetration. This approach differs from other rule-based penetration identification tools that pattern match sequences of audit records. This program, originally developed by Koral Ilgun has been now ported to Solaris 2.x by Jonathan Wood. N/A Host
WebStalker Pro Haystack Laboratories, Inc. Solaris 2.5, IBM AIX 4.1, Windows NT Rules Based WebStalker-Pro manages and control access to the contents of your Web site by allowing only authorized individuals to modify the content files. WebStalker-Pro catches outsiders and insiders alike who may be attempting to modify your Web site, and alerts you or kicks them off. COTS Host
Page d'accueil

Nous écrire
By mail

Nous envoyer des commentaires
By la page de le Feed-Back

Les mailing-lists


Les stats du serveur


Qui sommes-nous?

Le Sommaire

Sommaire général du site
(voir tout le contenu)

Les rubriques!

Les livres publiés par Kitetoa
Les Textes
Les interviews

Fonds d'écran et autres trucs

Les rubriques!
Les Let-R-s

Des Images
On s'en fout!

KessTaVu? -KiteToile

Statisticator, l'autre site...

Les dossiers :

Precision [ZataZ]
Le monde fou des Admins
Le hack le plus bizarre
Guerre de l'info
Convention contre la cyber-criminalité

Questionnaire visant à améliorer le contenu de  ce site si c'est possible et pas trop compliqué

Réponses au questionnaire visant...

Le Forum

sur le site sur le Net

Des liens
D'autres choses du Ouèb