Up
Previous Next

Sheriff CSM™

Sheriff HIDS

The Sheriff HIDS included in the Sheriff CSM provides the following features:

• Log monitoring and collection
• Rootkit detection
• File integrity monitoring
• Windows registry integrity monitoring
• Active response that can run applications on a server in response to certain triggers, such as specific alerts or alert levels

Sheriff HIDS uses a server/agent architecture, where the HIDS agent resides on hosts you want to monitor; and the HIDS server resides on the Sheriff CSM Deputy. The Sheriff CSM Deputy receives events from the HIDS agents, normalizes them, and sends them to the Sheriff CSM Server for analysis, correlation, and storage. Sheriff HIDS also has some limited support for agentless operation on Linux for log retrieval only.

You need to deploy the HIDS agents to client systems. The HIDS agent runs as a continuous in-memory service, interacting with the Sheriff CSM Deputy through UDP port 1514. The Sheriff CSM Deputy generates and distributes a pre-shared key to the HIDS agents, which then use the key to authenticate the communication between the HIDS agents and the Sheriff CSM Deputy.

While HIDS agents are ideal for collecting Windows Security and System event logs, it is more effective to use NXLog to collect Application logs on Windows. Sheriff provides NXLog plugins for Microsoft IIS, Microsoft DHCP Server, Microsoft Exchange Server, and Microsoft SQL Server. For a complete list, see NXLog Plugins.

Sheriff Vigilante Limitations: Both Sheriff Vigilante and the Sheriff CSM HIDS decoders are fully featured, with all of their information coming from the Plugin Feed Updates that Sheriff CSM and Sheriff Vigilante provide. However, Sheriff Vigilante lacks the depth of NIDS information that is provided to Sheriff CSM through the Threat Intelligence Updates.