RE: IDS and Spywares

From: Omar A. Herrera (omar.herrera_at_oissg.org)
Date: 10/12/05

  • Next message: Mark Ryan del Moral Talabis: "Re: Open source GUI for Snort" 
    To: <focus-ids@securityfocus.com>
Date: Wed, 12 Oct 2005 22:52:11 +0100

    > -----Original Message-----
    > From: vipul kumra [mailto:vikumar2@yahoo.com]
    >
    > Hi Dhruv,
    >
    > I agree with what you have said... but then there is
    > no 100% fool proof method for detecting anything. As
    > far as I've seen iPolicy Networks IDS protection is
    > quite strong... :)

    Why use a hammer with a screw? Network based detection is able to deal
    pretty well with known network threats, but some sort of malware (including
    some Trojans and spyware) are customized or modified and used with specific
    targets. You won't detect those with generic signatures or network based
    anomaly behavior.

    hIDS/hIPS ar much more effective in detecting and preventing these attacks.
    If there is any anomalous activity to be detected or any forbidden action to
    be blocked, it will be host based, not network based. To start, there is a
    considerable number of ways that these threats can travel through the
    network (e.g. web scripts, P2P messaging, email attachments, trojanized
    downloaded software)and they might not even used the network to get to their
    target (Sharing of USB memory sticks, CDs, DVDs,...)

    Personally I doubt that it is even worth trying to catch this kind of
    malware with a network based IDS or IPS. I would rather use the time for
    polishing hIPS/personal firewall policies.

    I think this is what Dhruv meant.

    Regards,

    Omar Herrera

    ------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it
    with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    ------------------------------------------------------------------------

  • Next message: Mark Ryan del Moral Talabis: "Re: Open source GUI for Snort"

    Relevant Pages

    • RE: IDS and Spywares
      ... no 100% fool proof method for detecting anything. ... Subject: IDS and Spywares ... Spyware detection through any ... > detected by an antivirus system and not by a network ...
      (Focus-IDS)
    • Re: FBSD install fails with nforce on asus p5n-e sli. any ideas?
      ... Im trying to install 7.0 from boot only CD and having problems detecting ... The NIS is a nforce integrated to the mother asus P5n-e sli ... it may allow you network access. ... When I use the first boot option, i cant make the card get a ip, neither the HD is detected. ...
      (freebsd-questions)
    • detecting network crowd surges
      ... of the user IPs on an ISP's cable modem network or all of the IPs at ... to do this in realtime with firewall, network, ids, netflow, .etc ... Most of the operational stuff I've run across for detecting botnets ... different ways to manage a botnet. ...
      (Focus-IDS)
    • RE: About detecting bots....
      ... packet capture for forensic analysis and incident response. ... Subject: About detecting bots.... ... How you can detect bots on your network? ... In the last month I implement on my network Bothunter (you can see ...
      (Focus-IDS)
    • Re: Tool that detects processes running
      ... Does anybody know any tool which is capable of detecting all the ... >processes running in all workstations within the network? ... how about detecting the installed softwares in the entire network? ... PsExec freeware executes programs remotely, ...
      (microsoft.public.win2000.general)
    • Quantcast