Group puts intrusion detection tools in public domain

A US research and education cooperative focused on systems security will place a new set of intrusion detection tools in the public domain today, making them freely available to organisations that want to monitor their systems and networks for hacking attempts. Called Shadow, the software is being made available by the Bethesda, Maryland-based SANS (Systems Administration Networking & Security) Institute. The group says the code is already in use actively monitoring more than 40 known attack profiles in incoming network traffic for more than 14,000 hosts. The tool has also allowed system security analysts to identify, or provided illumination of, three completely new types of attacks, the SANS Institute says.

A US research and education cooperative focused on systems security will place a new set of intrusion detection tools in the public domain today, making them freely available to organisations that want to monitor their systems and networks for hacking attempts.

Called Shadow, the software is being made available by the Bethesda, Maryland-based SANS (Systems Administration Networking & Security) Institute. The group says the code is already in use actively monitoring more than 40 known attack profiles in incoming network traffic for more than 14,000 hosts. The tool has also allowed system security analysts to identify, or provided illumination of, three completely new types of attacks, the SANS Institute said.

Alan Paller, the institute's research director, today called for more cooperation between the U.S. government and industry, saying the nation's computing infrastructure is vulnerable to increasingly sophisticated attacks.

The "missing ingredient" is an institution of some kind that would allow organizations to report information about systems intrusions, Paller said. "What we need is a Center for Intrusion Control" analogous to the U.S. Centers for Disease Control, he added. What makes the world-renowned CDC work is that information is supplied to the agency with the understanding that it remain confidential, Paller explained. Right now, businesses are reluctant to report that they have been hacked because of the negative publicity that ensues, he said.

Among the unique aspects of the Shadow software is that it analyzes traffic, rather than content, in order to preserve privacy, according to the SANS Institute. It also monitors all ports for all protocols, and combines signature monitoring with statistical assessment that detects events the filters do not know how to decode. Finally, Shadow can be run on a systems configuration, including high-capacity storage, that should cost in total less than US$10,000, according to the institute.

The SANS Institute will also run a series of training programs instructing systems and network professionals in the use of the Shadow software. The first will be in San Francisco July 24-25, followed by sessions in New York (July 27-28) and Washington, D.C. (Aug. 24-25). There will also be a five-day intensive program in Orlando, Florida, Oct. 26-20, Paller said.

Information about Shadow will be made available to anyone in the U.S. who sends e-mail to info@sans.org with the subject SHADOW Description. While the intention is to serve organizations in the U.S., Paller admitted that this will be difficult to enforce in practice. People requesting information will receive instructions for downloading, installing and running the software, plus agendas and schedules for the training programs.

Join the newsletter!

Error: Please check your email address.
Show Comments
[]