Re: Looking for HIDS-only products for XP/2000Pro

• Previous message: LeoDregier_at_TheSecurityMatrix.com: "Re: Looking for HIDS-only products for XP/2000Pro"
• In reply to: Bill Stout: "Looking for HIDS-only products for XP/2000Pro"
• Next in thread: AsTriXs: "Re: Looking for HIDS-only products for XP/2000Pro"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 6 Aug 2005 20:04:43 -0400 (EDT)
To: "Bill Stout" <bill.stout@greenborder.com>

Hi,

Bill Stout wrote:
> I'm assuming most companies do both HIDS and blocking. Are there any
> companies which specialize in HIDS for XP/2000Pro? Specifically passive
> (worm/virus/Trojan) attacks, maybe with an online database for
> reference.

You can detect worm, virus & trojan with NIDS. They transmit and propagate
trough the network so a NIDS that use signatures to detect this should
alert you.

For example:
http://www.bleedingsnort.com/bleeding-malware.rules
http://www.bleedingsnort.com/bleeding-virus.rules

> In other words, if we have a product which protects against certain
> vectors (IE & Outlook), and we want to prove that it did protect them
> although it doesn't detect, what could I use to detect and identify
> specific attacks?

Place a NIDS inside and outside. I mean one before the defense system you
already have (this will prove that they are comming in) and one inside your
defence system.

The one inside should not see the malware since they are suppose to be
blocked by what you are using already.

Also, something to check the integrity of your host like tripwire should
be used on _all_ production server.

As far as products goes, there is many of them.
Okena which was bought by cisco. OpenHids.
Snort not in promiscus mode would do the job too!

Hope this help,

Merci,
Jean-Pierre Denis
 (LPIC1 - LPIC2)
WebGlobe Solutions TI
email: jp@webglobe.ca
tel.: (819) 246-0WWW (0999)
www: http://www.webglobe.ca

-----------------------------------------
 WebMail Powered by WebGlobe.
 http://www.webglobe.ca

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

• Previous message: LeoDregier_at_TheSecurityMatrix.com: "Re: Looking for HIDS-only products for XP/2000Pro"
• In reply to: Bill Stout: "Looking for HIDS-only products for XP/2000Pro"
• Next in thread: AsTriXs: "Re: Looking for HIDS-only products for XP/2000Pro"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]