Re: Looking for HIDS-only products for XP/2000Pro

["Jean-Pierre Denis" <jp () webglobe ca>]

Hi,


Bill Stout wrote:
> I'm assuming most companies do both HIDS and blocking.  Are there any
> companies which specialize in HIDS for XP/2000Pro?  Specifically passive
> (worm/virus/Trojan) attacks, maybe with an online database for
> reference.

You can detect worm, virus & trojan with NIDS. They transmit and propagate
trough the network so a NIDS that use signatures to detect this should
alert you.

For example:
http://www.bleedingsnort.com/bleeding-malware.rules
http://www.bleedingsnort.com/bleeding-virus.rules


> In other words, if we have a product which protects against certain
> vectors (IE & Outlook), and we want to prove that it did protect them
> although it doesn't detect, what could I use to detect and identify
> specific attacks?

Place a NIDS inside and outside. I mean one before the defense system you
already have (this will prove that they are comming in) and one inside your
defence system.

The one inside should not see the malware since they are suppose to be
blocked by what you are using already.

Also, something to check the integrity of your host like tripwire should
be used on _all_ production server.

As far as products goes, there is many of them.
Okena which was bought by cisco. OpenHids.
Snort not in promiscus mode would do the job too!

Hope this help,


Merci,
Jean-Pierre Denis
 (LPIC1 - LPIC2)
WebGlobe Solutions TI
email: jp () webglobe ca
tel.: (819) 246-0WWW (0999)
www:   http://www.webglobe.ca


-----------------------------------------
 WebMail Powered by WebGlobe. 
 http://www.webglobe.ca     


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------