Re: IDS and Spywares

• Previous message: Mark Ryan del Moral Talabis: "Re: Open source GUI for Snort"
• In reply to: Jay Archibald: "Re: IDS and Spywares"
• Next in thread: vipul kumra: "RE: IDS and Spywares"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Jay Archibald" <jay.archibald@comcast.net>, <neelabhsharma1@gmail.com>, <focus-ids@securityfocus.com>
Date: Thu, 13 Oct 2005 15:06:23 +0100

DISCLAIMER - I work for an IPS vendor... ;)

Hi guys,

It's not very efficient to use an application signature to scan network
traffic for spyware. There is also the risk of false positives - ie the
signature will trip with regards to good traffic, and block it.
By far the best, and most fundamental way to block spyware with a network
based solution is to use a firewall policy to block access to Spyware
servers, so that a) clients can't download Spyware from these sites, and b)
already infected clients can't phone home and send back information
Any Spyware that doesn't fit this bill (ie uses a large pool of server IP
addresses - eg something like SkyPe) would need a signature for detection,
but only use signatures when your basic form of protection at lower layers
cannot do the job.
TopLayer's IPS 5500, for example, maintains an up to date list of IP
addresses of the most common Spyware servers. Use this with the built in
firewall policy, and you've solved 99% of the problem that Spyware causes on
a network connection.
There's absolutely no point chewing up valuable content-checking resources
(even if you have the fastest ASIC/FPGA on the market!), if you can solve
the problem at a lower level. This is a problem all IDS based IPS vendors
face, as they only properly deal with malicious content, rather than
addressing IPS from a practical network level that encompasses firewalling,
rate-based checks, and content-checks to do the job in the fastest, most
efficient way possible.

Regards,

Tim

----- Original Message -----
From: "Jay Archibald" <jay.archibald@comcast.net>
To: <neelabhsharma1@gmail.com>; <focus-ids@securityfocus.com>
Sent: Wednesday, October 12, 2005 2:52 AM
Subject: Re: IDS and Spywares

>> Could anyone in the group name a few IDS which detect spywares. In my
> view spywares are to
>> be detected by an antivirus system and not by a network device.
>
> Your view is correct in the regard that antivirus software should DETECT
> and
> REMOVE spyware, but if you want to protect every device in a network from
> the effects of spyware a good defense is still through an IDP or firewall.
> Can you garantee every network host in your network has an anti-virus
> client
> running with the latest definition updates? Even if you can,
> spyware/malware creators still have tricky ways of evading
> anti-virus/anti-spyware scanners. In my opinion, perimeter security is
> still an effective way to secure a network.
>
> Juniper/Netscreen's IDP systems detect and block spyware. The nice thing
> about their product is they catagorize the spyware into several different
> catagories: CRITICAL, HIGH, MEDIUM, LOW and INFO. This makes it easier
> to
> build IDS policies for blocking the critical alerts while only alerting on
> the low. They currently have over 300 spyware signatures.
>
> They have a good IDP product, but I will say that it is excpensive when it
> comes to the support contract costs. One other thing I think they could
> improve is providing details or references on spyware signatures like they
> do with other catagories like HTTP or SMTP.
>
> Jay Archibald
> Student - Norwich University
> Master of Science in Information Assurance
>
>
> ----- Original Message -----
> From: <neelabhsharma1@gmail.com>
> To: <focus-ids@securityfocus.com>
> Sent: Friday, October 07, 2005 12:12 AM
> Subject: IDS and Spywares
>
>
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ------------------------------------------------------------------------
>
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ------------------------------------------------------------------------
>
>

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

• Previous message: Mark Ryan del Moral Talabis: "Re: Open source GUI for Snort"
• In reply to: Jay Archibald: "Re: IDS and Spywares"
• Next in thread: vipul kumra: "RE: IDS and Spywares"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]