I have recently been asked by a deeply knowledgable friend of mine, Malek Kemmou, about the latest in Intrusion Detection software. I realized that if he was curious, then this might be a topic worthy of a few words…
The bad news is that there is not much out there really that can serve as a silver bullet. Alot like the Anti-spam software when it first started coming out, there were alot of players, but they all used the same basic technique. In the case of detection software we are in much the same place. Hackers leave footprints if you are logging (both on the OS itself and on the web server). If the logs are not configured or configured incorrectly then it is like having video cameras without film, they won’t help you solve the crime.
A further problem is that more elite hackers tend to alter the logs after they are done (wiping the gun clean so to speak). Step 3 (step 1 is to turn on logging, step 2 is to configure it appropriately) is to secure the logs from being altered (or dumped) by an intruder.
Products like GFI LanGuard will publish white papers (see the link) on why they are the best, but mostly they are the same. You could interpret most logs yourself until they get beyond a certain size.
You can even just submit your logs to DShield.org (been around since Nov 2000) and they will analyze them for you. Some interesting statistics come out of looking at the data from so many firewalls and web servers. If you go there note that they are currently reporting Survival Times of 22 minutes (The “Survival Time” is the average time between attacks for our average submitter. An unpatched PC will survive about that long before it will be infected with the worm of the day).
Here is a nice little article from the guys at Foundstone, http://secinf.net/info/misc/tricks.html, that should give you some tips on what you (and the detection software) should look for beyond the obvious “cmd.exe” in your standard IIS logs.
If you are using something you like, let me know, I expect this space to get pretty heated in the next 18 months as awareness rises and drives demand.