A host-based intrusion defense tool, Dragon Host Sensor monitors individual systems running today's most common operating systems, for evidence of malicious or suspicious activity in real time.
Dragon Host Sensor may be deployed on a protected host where it uses a variety of techniques to detect attacks and misuse on the system, including analyzing the security event log, checking the integrity of critical configuration files, or checking for kernel level compromises. This hybrid approach ensures that no misuse goes undetected.
Dragon Host Sensor may also be deployed on a dedicated analysis system where logs are forwared and analyzed from most commercial firewalls, routers, switches, and other IDS devices. Correlating events from these devices and from Dragon Network and Host Sensors is critical in identifying which events are the most serious, as well as understanding their origin and impact.
Using non-conventional techniques to identify attempted intrusions or general misuse, the Host Sensor can be installed on a dedicated system to create a "deceptive" server designed to entice an alarm on attempted intrusions by simulating a fake web server, telnet server, or mail server.Product Highlights
- File attribute monitoring monitors specific file attributes such as owner, group, permissions and file size
- File integrity checking monitors files or directories to determine if content has been changed via MD5 hash, protecting sensitive files
- Log file analysis analyzes any file or directory - including the system log, security log, or the log of a custom-built application - against a signature policy
- Windows event log analysis monitors the various Windows event logs for sign of misuse or attack
- Windows registry analysis analyzes the Windows registry for attributes that should not be accessed and/or modified, essential in identifying attacks against often-targeted Microsoft servers
- TCP/UDP (backdoor) service detection monitors for opened TCP and UDP ports, providing critical protection against backdoor services, which can be used to allow unauthorized access through the firewall or act as a staging point for a distributed denial of service or outright attack
- Kernel monitoring detects suspicious privilege escalations and other signs that the kernel has been compromised
- Custom module interface provides an open and easy interface for custom module development, allowing the customers to write their own tailored modules