Re: Looking for HIDS-only products for XP/2000Pro

From: Jean-Pierre Denis (jp_at_webglobe.ca)
Date: 08/07/05

  • Next message: AsTriXs: "Re: Looking for HIDS-only products for XP/2000Pro"
    Date: Sat, 6 Aug 2005 20:04:43 -0400 (EDT)
    To: "Bill Stout" <bill.stout@greenborder.com>
    
    

    Hi,

    Bill Stout wrote:
    > I'm assuming most companies do both HIDS and blocking. Are there any
    > companies which specialize in HIDS for XP/2000Pro? Specifically passive
    > (worm/virus/Trojan) attacks, maybe with an online database for
    > reference.

    You can detect worm, virus & trojan with NIDS. They transmit and propagate
    trough the network so a NIDS that use signatures to detect this should
    alert you.

    For example:
    http://www.bleedingsnort.com/bleeding-malware.rules
    http://www.bleedingsnort.com/bleeding-virus.rules

    > In other words, if we have a product which protects against certain
    > vectors (IE & Outlook), and we want to prove that it did protect them
    > although it doesn't detect, what could I use to detect and identify
    > specific attacks?

    Place a NIDS inside and outside. I mean one before the defense system you
    already have (this will prove that they are comming in) and one inside your
    defence system.

    The one inside should not see the malware since they are suppose to be
    blocked by what you are using already.

    Also, something to check the integrity of your host like tripwire should
    be used on _all_ production server.

    As far as products goes, there is many of them.
    Okena which was bought by cisco. OpenHids.
    Snort not in promiscus mode would do the job too!

    Hope this help,

    Merci,
    Jean-Pierre Denis
     (LPIC1 - LPIC2)
    WebGlobe Solutions TI
    email: jp@webglobe.ca
    tel.: (819) 246-0WWW (0999)
    www: http://www.webglobe.ca

    -----------------------------------------
     WebMail Powered by WebGlobe.
     http://www.webglobe.ca

    ------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it
    with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    ------------------------------------------------------------------------


  • Next message: AsTriXs: "Re: Looking for HIDS-only products for XP/2000Pro"

    Relevant Pages

    • Re: host-based ids evaluation
      ... That is why NIDS is proactive, it will log the network traffic patterns ... As for NIDS and HIDS they work differently, ... >>>different types of IDS. ...
      (Focus-IDS)
    • RE: host-based ids evaluation
      ... If you are looking at a single system then you are a HIDS, ... You can now get into deeper distinctions regarding types of IDS techniques ... but HIDS vs. NIDS is as simple as the focus for the product. ... HIDS can detect local-to-local attacks (or ...
      (Focus-IDS)
    • Re: host-based ids evaluation
      ... noting that there is rarely any correlation between events generated by NIDS ... HIDS can also be very noisy, ... NIDS.....An exception could be an Inline IDS which stops the attacks getting ... > and NIDS will monitor the network activity under that (or above if I ...
      (Focus-IDS)
    • Re: host-based ids evaluation
      ... Personally, I think in most case HIDS is more of "reactive", and NIDS is ... While NIDS will/can gather all the information on the network. ... > a Host IDS looks within the host for evidence of intrusion. ...
      (Focus-IDS)
    • Re: Changes in IDS Companies?
      ... it also has serious management and cost ... I also think that network ... >>based>IDS will close the securtiy gap a lot faster than HIDS ... > wise to think that NIDS will close the security gap faster. ...
      (Focus-IDS)