headers
Nikhil Manampady | 6 Jun 2011 08:49
Favicon

Re: Ideal IDS/IPS

>
> You can also check if the IDP has a NIC bypass feature which actually makes the IDP work as normal switch (no
traffic monitoring) in case of a power failure.
>
>
> Thanks & Regards,
> Nikhil Manampady,
> Security Consultant,
> Paladion Networks.
>
>
>
>
> On Thu, Jun 2, 2011 at 8:50 AM, snort user <snort.user <at> gmail.com> wrote:
>>
>> What would we like to have in an ideal IDS/IPS system? I am not
>> restricting the list to existing approaches such as signature based,
>> anomaly based, statistical or specification based IDS. Just trying to
>> get the wish list sort of. Any feedback is much appreciated.
>>
>> Low false negatives   - maximize detection and prevention of
>> intrusions, detect zero day attacks, detect variations
>> Low false positives   - don't waste analyst time
>> Ease of use           - installation and configuration
>> Low resource usage    - minimize resource usage, degrade gracefully
>> when resource usage exceeds limits
>> High Performance      - good scalability with increasing network speeds
>> Stability, Robustness - no crashes, and resistance to attacks againt IDS
>> Minimal ongoing maintainence - Run with minimal human supervision
>>
(Continue reading)

Permalink | Reply | 0 comments |
headers
snort user | 2 Jun 2011 05:20
Picon

Ideal IDS/IPS

What would we like to have in an ideal IDS/IPS system? I am not
restricting the list to existing approaches such as signature based,
anomaly based, statistical or specification based IDS. Just trying to
get the wish list sort of. Any feedback is much appreciated.

Low false negatives   - maximize detection and prevention of
intrusions, detect zero day attacks, detect variations
Low false positives   - don't waste analyst time
Ease of use           - installation and configuration
Low resource usage    - minimize resource usage, degrade gracefully
when resource usage exceeds limits
High Performance      - good scalability with increasing network speeds
Stability, Robustness - no crashes, and resistance to attacks againt IDS
Minimal ongoing maintainence - Run with minimal human supervision

Thanks

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL
certificate on your web server, you can securely collect sensitive information online, and increase
business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194
Permalink | Reply | 2 comments |
headers
Sebastien Damaye | 24 May 2011 07:05
Picon

pytbull, an IDS/IPS Testing Framework

Hi,

I thought you might be interested in pytbull (http://pytbull.sourceforge.net).

pytbull is an Intrusion Detection/Prevention System (IDS/IPS) Testing
Framework for Snort, Suricata and any IDS/IPS that generates an alert
file. It can be used to test the detection and blocking capabilities
of an IDS/IPS, to compare IDS/IPS, to compare configuration
modifications and to check/validate configurations.

The framework is shipped with about 300 tests grouped in 9 testing modules:

- clientSideAttacks: this module uses a reverse shell to provide the
server with instructions to download remote malicious files. This
module tests the ability of the IDS/IPS to protect against client-side
attacks.
- testRules: basic rules testing. These attacks are supposed to be
detected by the rules sets shipped with the IDS/IPS.
- badTraffic: Non RFC compliant packets are sent to the server to test
how packets are processed.
- fragmentedPackets: various fragmented payloads are sent to server to
test its ability to recompose them and detect the attacks.
- multipleFailedLogins: tests the ability of the server to track
multiple failed logins (e.g. FTP). Makes use of custom rules on Snort
and Suricata.
- evasionTechniques: various evasion techniques are used to check if
the IDS/IPS can detect them.
- shellCodes: send various shellcodes to the server on port 21/tcp to
test the ability of the server to detect/reject shellcodes.
- denialOfService: tests the ability of the IDS/IPS to protect against
(Continue reading)

Permalink | Reply | 0 comments |
headers
Mayank.2.Bhatnagar | 9 May 2011 10:43
Favicon

Deployed Grid based Intrusion Detection System solutions??

Hi all,

Just wanted to know which are the deployed and currently used Grid based IDS systems.
I have heard about some academic projects, but since could not get further updates, so positing here.

Distributed IDS systems, evolving to serve high computing and networked Grids, are they being trusted and
channelized by all grid participating members....i am sure there must be unique challenges, but how far
have we reached, can any one kindly share their views.

Thanks & Regards,
Mayank 

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL
certificate on your web server, you can securely collect sensitive information online, and increase
business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194
Permalink | Reply | 0 comments |
headers
stcroix111 | 4 May 2011 22:40

Re: host sensors needed?

As I am sure you could have predicted, my answer is that it depends. There are more security options
available in a HIDS solution that you won't find when using the tools that you mention in your post such as
being able to do behavioral analysis of the software executing on the server. For example, you can deny
certain executables from running in a directory where it isn't expected, block all executables from
running in temp directories, home directories, etc. As with any software there is a learning curve so it is
best to start out with HIDS running in "learning" mode which you can tune over time. 
When looking at defense in depth, go for a mixture of signature-based (IDS, AV) along with heuristic or
behavior-based tools. Hope this helps.

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL
certificate on your web server, you can securely collect sensitive information online, and increase
business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194
Permalink | Reply | 0 comments |
headers
Shang Tsung | 20 Apr 2011 13:02
Picon

host sensors needed?

I know there is no clear answer to the below question, but I would
like to have some views and opinions.

We are considering whether to install Host IDS Sensors on webservers.
Having them is better security for sure. However, does the added
security worth the extra cost and burden to the server/network?

Before the traffic reaches the webservers, it passes from a Network
IDS Sensor, a Network Firewall, and a Web Application Firewall. This
is why we are not sure whether another layer is worth the trouble?

Thanks,
ST

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL
certificate on your web server, you can securely collect sensitive information online, and increase
business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194
Permalink | Reply | 0 comments |
headers
susurros07 | 8 Apr 2011 08:11
Picon

Re: Installing Snort in Proventia GX

Hi All,

I have to quit my little project. I still think that its possible to
do it but i dont have the time to realize it.
Thanks for your interest.

Sergio

On Fri, Apr 8, 2011 at 7:05 AM, Laurens Vets <laurens <at> daemon.be> wrote:
> Hello,
>
>> I am thinking in install a new Linux Distribution in  a Proventia IDS.
>>  I don't find any documentation, have anyone tried?
>
> Which exact model is it?
>
> It will probably work, the Proventia firmware is based on linux anyways
> (RedHat I think).
>
> -----------------------------------------------------------------
> Securing Your Online Data Transfer with SSL.
> A guide to understanding SSL certificates, how they operate and their
> application. By making use of an SSL certificate on your web server, you can
> securely collect sensitive information online, and increase business by
> giving your customers confidence that their transactions are safe.
> http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194
>
>
>
>
(Continue reading)

Permalink | Reply | 0 comments |
headers
sergio delgado | 5 Apr 2011 12:59
Picon

Installing Snort in Proventia GX

Hi All,

I am thinking in install a new Linux Distribution in  a Proventia IDS.
 I don't find any documentation, have anyone tried?

Thanks,

Sergio

P.D: Sorry about my english, i will thank you if you find any mistake.

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL
certificate on your web server, you can securely collect sensitive information online, and increase
business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194
Permalink | Reply | 2 comments |
headers
Yago Jesus | 23 Feb 2011 03:40

New Tool: 'Patriot NG 2.0'

Patriot is a 'Host IDS' tool which allows real time monitoring of
changes in Windows systems and Network attacks.

Patriot monitors:
Changes in Registry keys: Indicating whether any sensitive key
(autorun, internet explorer settings...) is altered.
New files in 'Startup' directories
New Users in the System
New Services installed
Changes in the hosts file
New scheduled jobs
Alteration of the integrity of Internet Explorer: (New BHOs,
configuration changes, new toolbars)
Changes in ARP table (Prevention of MITM attacks)
Installation of new Drivers
New Netbios shares
TCP/IP Defense (New open ports, new connections made by processes,
PortScan detection...)
Files in critical directories (New executables, new DLLs...)
New hidden windows (cmd.exe / Internet Explorer using OLE objects)
Netbios connections to the System
ARP Watch (New hosts in your network)
NIDS (Detect anomalous network traffic based on editable rules)

Homepage: http://www.security-projects.com/?Patriot_NG

Cheers

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Pete Herzog | 15 Feb 2011 19:35
Favicon

[ISECOM-HACKERHIGH] Sharpen Your Security Skills!

Hi,

There are 2 new seminars available next month held at the Troopers 
conference in Heidelberg, Germany, starting March 28.

"Smarter Safer Better" is for anyone, really anyone, who wants to 
understand how the human mind works to make better trust and security 
decisions. Think of it as the ultimate security awareness class where 
you are first aware about YOU and how to sharpen those instincts. It's 
an eye-opening experience! See 
http://www.troopers.de/troopers11/agenda/smarter-safer-better-workshop/

"OSSTMM 101" is that class for everyone who just couldn't get through 
reading the whole OSSTMM 3 but really wants to know about it and how 
to it gets applied. See 
http://www.troopers.de/troopers11/agenda/osstmm-101-workshop/

Both classes are taught by me, Pete Herzog and are each 1 day long. 
Check out the Troopers agenda for more details:
http://www.troopers.de/troopers11/agenda/

Then you can sign up and register here: https://www.troopers.de/sign-up/

It's a great venue and these will be great seminars! Hope to see you 
there!

Sincerely,
-pete.

--

--
(Continue reading)

Permalink | Reply | 0 comments |
headers
Yago Jesus | 7 Feb 2011 20:14

New release of Unhide (2011-01-13)

Unhide is a forensic tool to find hidden processes and TCP/UDP ports
by rootkits / LKMs or by other hidden techniques.

// Unhide (ps)

Detects hidden processes. Six different techniques implemented:

- Comparing /proc vs /bin/ps output
- Comparing information gathered from /bin/ps with information
gathered by walking through the procfs.
- Compare information gathered from /bin/ps with information gathered
from syscalls (syscall scanning).
- Full PIDs space occupation (using PIDs bruteforcing)
- Reverse search, verifying that every threads seen by ps are also
seen by the kernel ( /bin/ps output vs /proc, procfs walking and
syscall )
- Quick compare /proc, procfs walking and syscall vs /bin/ps output.

// Unhide-TCP

Identify TCP/UDP ports that are listening but not listed in
/bin/netstat, bruteforcing every available TCP/UDP ports.

Changes in this release:

[+] New tests added.
[+] Now, Unhide is more modular, allowing the selection of single
tests (or metatests)
[+] New project homepage released: http://www.unhide-forensics.info
(Continue reading)

Permalink | Reply | 0 comments |

Gmane