Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

IPS HLBR 1.0 released (off-topic)

from [Eriberto] Network Security [Permanent Link]
Subject: IPS HLBR 1.0 released (off-topic)
Date: Mon, 06 Mar 2006 14:33:21 -0300 
IPS HLBR - Version 1.0 can detect malicious traffic using regular
expressions

Version 1.0 of Hogwash Light BR, released march 5th 2006, brings two
interesting new features. The first one is the ability of using
regular expressions to detect intrusion attempts and e-mails with
virus or phishing. The second is the use of lists with banned words.

HLBR is an IPS (Intrusion Prevention System) that reads network
traffic in the layer 2 of the OSI model. Since it works like a bridge,
it stays in-line in the network topology and doesn't need an IP
address. So, HLBR is invisible to attackers. Traffic filtering
(including the packets contents) can be done with simple rules.
Version 1.0 can use regular expressions to filter the packets. Below
is an example of rule with regular expressions:

(please see http://hlbr.sourceforge.net/hlbr-rule-1.gif)

In short, all TCP traffic destined to port 25 of the e-mail server
will be filtered. If the text:

filename="anything_different_of_line_breaks.s__c__r"

(please ignore underlines in s__c__r)

is found inside the packet, that means there are an attachment .scr in
the e-mail (virus). So this packet will suffer the action named 'virus'.
This action logs the event, dumps the malicious traffic in tcpdump
format and drops the packet. Below is an example of rule against a type
of buffer overflow attempt against DNS servers:

(please see http://hlbr.sourceforge.net/hlbr-rule-2.gif)

In this case, due to the use of pipe characters (|), HLBR will check
the traffic for the hexadecimal sequence given as an attack signature.

HLBR lets you use rules for blocking attacks against network servers.
In order to fully understand it please read our documentation at
http://hlbr.sourceforge.net/ips-en.html - explanations about the IPS
concept including charts.

HLBR site is at http://hlbr.sourceforge.net.

(Translated from Portuguese by André Bertelli - andre (a) bertelli.name)


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • IPS HLBR 1.0 released (off-topic), Eriberto <=
Previous by Date:  some tools about kernel monitoring, zhuowei
Next by Date:  Re: SNORT Testing, Stefano Zanero
Previous by Thread:  some tools about kernel monitoring, zhuowei
Next by Thread:  IDS Tuning, Naveen Sharma
Indexes:  [Date] [Thread] [Top] [All Lists]