Hi,
Bill Stout wrote:
I'm assuming most companies do both HIDS and blocking. Are there any
companies which specialize in HIDS for XP/2000Pro? Specifically passive
(worm/virus/Trojan) attacks, maybe with an online database for
reference.
You can detect worm, virus & trojan with NIDS. They transmit and propagate
trough the network so a NIDS that use signatures to detect this should
alert you.
For example:
http://www.bleedingsnort.com/bleeding-malware.rules
http://www.bleedingsnort.com/bleeding-virus.rules
In other words, if we have a product which protects against certain
vectors (IE & Outlook), and we want to prove that it did protect them
although it doesn't detect, what could I use to detect and identify
specific attacks?
Place a NIDS inside and outside. I mean one before the defense system you
already have (this will prove that they are comming in) and one inside your
defence system.
The one inside should not see the malware since they are suppose to be
blocked by what you are using already.
Also, something to check the integrity of your host like tripwire should
be used on _all_ production server.
As far as products goes, there is many of them.
Okena which was bought by cisco. OpenHids.
Snort not in promiscus mode would do the job too!
Hope this help,
Merci,
Jean-Pierre Denis
(LPIC1 - LPIC2)
WebGlobe Solutions TI
email: jp@webglobe.ca
tel.: (819) 246-0WWW (0999)
www: http://www.webglobe.ca
-----------------------------------------
WebMail Powered by WebGlobe.
http://www.webglobe.ca
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
