Security UPDATE--Application and Host IDS Tools--March 21, 2007


Extend your MSCS cluster offsite

Free White Paper: Address the Insider Threat

Automatically fix links when you move files!



IN FOCUS: Application and Host IDS Tools


- Windows 2003 SP2 Ready for Download

- EldoS Provides Raw Disk Access for Vista and XP

- New Coating System Contains Wireless Signals

- Recent Security Vulnerabilities


- Security Matters Blog: Helios Lite--Rootkit Detector

- FAQ: Vista BitLocker Safety

- From the Forum: "Audit Privilege Use" Events

- Tell Us About the Products You Love!

- Share Your Security Tips


- Encrypt Sensitive Files Before They Leave the Office




=== SPONSOR: CA XOsoft


Extend your MSCS cluster offsite

MSCS clustering can be a good option for local high availability - but it doesn't provide complete protection from unplanned downtime. Download this free white paper and learn how extending your MSCS cluster offsite with a high availability solution with CDP technology can protect from data corruption, including damage done by viruses or human error.

=== IN FOCUS: Application and Host IDS Tools


by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Many of you probably have some sort of intrusion detection system (IDS) in use on your network. Most tools of this sort operate either at the network border to monitor incoming traffic or on the internal network to monitor internal traffic.

Recently I learned about two IDS tools that are a little bit different from a typical IDS. One runs inside an application, and the other is a host IDS that runs on servers or workstations.

The first tool is called Firekeeper. It's an extension for Firefox that works similarly to Snort in that it uses a configurable set of rules to detect suspicious activity. Firekeeper is a relatively new tool and doesn't have the huge set of rules available that Snort does. Nevertheless, the base set of rules is a good starting point, and you can write your own rules with relative ease, especially if you're familiar with Snort.

Because Firekeeper runs inside Firefox, naturally it's meant to detect intrusion attempts that would originate from Web content. The base set of rules detects suspicious JavaScript activity; abnormal behavior of Real Networks' RealPlayer, Microsoft Windows Media Player, and Nullsoft's Winamp controls; attempts to access email clients via file extension types; and more. Another benefit is that Firekeeper can inspect Secure Sockets Layer (SSL) traffic after it's decrypted by the browser, which a border IDS system might not be able to do.

Overall, Firekeeper is a pretty good idea. If I understand correctly, the project was started by Jan Wrobel as part of Google's Summer of Code 2006. Since that time, it's come along nicely. You can check it out at the Web site (click the link below), where a link to a mailing list is also available.

The second tool I learned about is OSSEC Host IDS (HIDS). OSSEC HIDS has two basic parts: the central server and the host monitors. The main server collects information from the host monitors, and the host monitors perform a variety of tasks. They can detect known rootkits and maintain file system integrity by keeping tabs on important system files.

Another useful aspect is that OSSEC HIDS can monitor a variety of different logs, such as those generated by Apache, Squid, Snort, nmap, Windows, Microsoft IIS, Cisco VPN concentrators, and Cisco PIX firewalls. As you might expect, it can also deliver alerts to administrators via email messages or log entries, and it can actively respond to detected events based on your configuration settings.

I installed OSSEC HIDS on a few systems and found that it's very easy to configure. Setting up the main server took about 20 minutes including reading the manual as I went along. Setting up the tool on the hosts was easier, but it did take a bit longer because the host settings vary depending on what's being monitored on the hosts.

OSSEC HIDS is an open source tool and has been tested on OpenBSD, FreeBSD, Mac OS X, Slackware Linux, Debian GNU/Linux, SUSE Linux, Ubuntu, Red Hat Enterprise Linux, Fedora Core, Solaris, and AIX, as well as Windows XP and Windows 2000. You can check it out at the OSSEC Web site, where you'll find the manual along with other resources such as a wiki and an associated mailing list.


Do you work in a mixed environment? Visit TechX World (first URL below) for information about Windows interoperability. The TechX World community gives you access to interoperability articles that aren't available anywhere else; news, tips, and tricks from interop experts and other users; and forums and blog posts by other community members. Join the TechX World community and sign up for the TechX Interoperability UPDATE email newsletter (second URL below):



Free White Paper: Address the Insider Threat

Learn how to develop a comprehensive management system that virtually eliminates the risk of an insider threat. Co-authored by NetIQ and Dr. Eric Cole, this informative white paper identifies the key business processes that must be secured and ready to build a solution to contain the insider threat.



Windows 2003 SP2 Ready for Download

Windows Server 2003 Service Pack 2 adds new features and tools, including WPA2 and improvements to IPsec. Be absolutely certain that you review the installation requirements and instructions.

EldoS Provides Raw Disk Access for Vista and XP

Security component maker EldoS announced the availability of RawDisk, a raw disk access driver for Windows Vista and Windows XP systems. Fortunately, the company won't make the product publicly available.

New Coating System Contains Wireless Signals

EM-SEC Technologies announced the successful testing of its new liquid coating product designed to contain Wi-Fi signals. The EM-SEC Coating System also prevents leakage of signals from several other types of electronic devices.

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

=== SPONSOR: LinkTek


Automatically fix links when you move files!

Patented LinkFixerPlus is the first application that automatically fixes broken links in Excel, Word, Access, PowerPoint, Acrobat, InDesign, PageMaker, AutoCAD and other files when performing data migrations due to: server consolidations, server name changes, path name changes or folder reorganizations! Detailed broken link reporting too!

Download the FREE trial version NOW at



SECURITY MATTERS BLOG: Helios Lite--Rootkit Detector

by Mark Joseph Edwards,

Can you ever have enough rootkit detectors? MIEL-Labs just released Helios Lite. Read more about it and get a link to download a copy in this blog article on our Web site!

FAQ: Vista BitLocker Safety

by John Savill,

Q: Does Windows Vista BitLocker Drive Encryption have a security vulnerability?

Find the answer at

FROM THE FORUM: "Audit Privilege Use" Events

A forum participant wonders what events will be created if he selects Audit Privilege Use--Failures in the audit policy. All he can find are the three IDs that appear for successes: 576, 578, and 579. He's trying to determine if it's worth having the failures on in the audit policy. To join the discussion, go to


What products are you using that save you time or make your workload a little lighter? What hot product discoveries have you made that other IT pros need to know about? Let the world know about your experiences in Windows IT Pro's monthly What's Hot department. If we publish your story in What's Hot, we'll send you a Best Buy gift card! Send information about your favorite product and how it has helped you to [email protected]


Share your security-related tips, comments, or problems and solutions in Security Pro VIP's Reader to Reader column. Email your contributions to [email protected] If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.



by Renee Munshi, [email protected]

Encrypt Sensitive Files Before They Leave the Office

Spotted Dingo announced GuardTheft, an Internet software application that lets users encrypt sensitive documents before taking them out of the office on removable media or before storing them on a server for transmission. Users can then use GuardTheft's Internet "black box" to decrypt the files when the users get to their destination and want to work with the files. GuardTheft can encrypt AutoCAD, ArcInfo, DNG, JPG, GIF, BMP, TIFF, MDI, PDF, DOC, TXT, PPT, and XLS files. The software uses the RC2 (128-bit) encryption algorithm and lets users make their key set unique by modifying the key set's 16 keys. A one-week free trial of GuardTheft is available. For more information, go to



For more security-related resources, visit

Deploy Exchange Server 2007 Without a Hitch!

This one-day technical training event teaches you how to preempt pitfalls and avoid corrupting your infrastructure. Learn how to effectively install, manage, and secure Exchange Server 2007 in a 64-bit environment. You'll also get a peek into the integration of Outlook, SharePoint Server 2007, and Exchange Server 2007. Register today!

Get Ready for the Windows Server Longhorn Roadshow!

Seize control of your Windows infrastructure with Microsoft's biggest server release since Windows 2003. Get a live, under-the-hood look at Longhorn virtualization, deployment, Web services, and breakthroughs in core reliability. This one-day event is filled with demonstrations and in-depth discussions designed for IT pros who want a deep understanding of Windows Server Longhorn.

SQL Server Reporting Services is an exciting way for organizations to gain access and insight into their important business data. Get an overview of how to increase your production server's performance by offloading Reporting Services to a secondary server. Download your free copy today!



Learn the 7 critical email problems to watch for and how to prevent them. Find out how to better manage your email environment, including disaster recovery, compliance, data storage, security, and wireless devices. Download this free white paper today.



Introducing a Unique Security Resource

Security Pro VIP is an online information center that delivers new articles every week on topics such as perimeter security, authentication, and system patches. Subscribers also receive tips, cautionary advice, direct access to our editors, and a host of other benefits! Order now at an exclusive charter rate and save up to $50!

Grab Your Share of the Spotlight!

Nominate yourself or a peer to become IT Pro of the Month. This is your chance to get the recognition you deserve! Winners will receive over $600 in IT resources and be featured in Windows IT Pro. It's easy to enter--we're accepting May nominations now, but only for a limited time! Submit your nomination today:


Security UDPATE is brought to you by the Windows IT Pro Web site's Security page (first URL below) and Security Pro VIP (second URL below).

Subscribe to Security UPDATE at

Unsubscribe by clicking

Be sure to add [email protected] to your antispam software's list of allowed senders.

To contact us:

About Security UPDATE content -- [email protected]

About technical questions --

About your product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.