IDS mailing list archives
Re: IDS and Spywares
From: "Tim Holman" <tim_holman () hotmail com>
Date: Thu, 13 Oct 2005 15:06:23 +0100
DISCLAIMER - I work for an IPS vendor... ;) Hi guys,It's not very efficient to use an application signature to scan network traffic for spyware. There is also the risk of false positives - ie the signature will trip with regards to good traffic, and block it. By far the best, and most fundamental way to block spyware with a network based solution is to use a firewall policy to block access to Spyware servers, so that a) clients can't download Spyware from these sites, and b) already infected clients can't phone home and send back information Any Spyware that doesn't fit this bill (ie uses a large pool of server IP addresses - eg something like SkyPe) would need a signature for detection, but only use signatures when your basic form of protection at lower layers cannot do the job. TopLayer's IPS 5500, for example, maintains an up to date list of IP addresses of the most common Spyware servers. Use this with the built in firewall policy, and you've solved 99% of the problem that Spyware causes on a network connection. There's absolutely no point chewing up valuable content-checking resources (even if you have the fastest ASIC/FPGA on the market!), if you can solve the problem at a lower level. This is a problem all IDS based IPS vendors face, as they only properly deal with malicious content, rather than addressing IPS from a practical network level that encompasses firewalling, rate-based checks, and content-checks to do the job in the fastest, most efficient way possible.
Regards, Tim----- Original Message ----- From: "Jay Archibald" <jay.archibald () comcast net>
To: <neelabhsharma1 () gmail com>; <focus-ids () securityfocus com> Sent: Wednesday, October 12, 2005 2:52 AM Subject: Re: IDS and Spywares
Could anyone in the group name a few IDS which detect spywares. In myview spywares are tobe detected by an antivirus system and not by a network device.Your view is correct in the regard that antivirus software should DETECT andREMOVE spyware, but if you want to protect every device in a network from the effects of spyware a good defense is still through an IDP or firewall.Can you garantee every network host in your network has an anti-virus clientrunning with the latest definition updates? Even if you can, spyware/malware creators still have tricky ways of evading anti-virus/anti-spyware scanners. In my opinion, perimeter security is still an effective way to secure a network. Juniper/Netscreen's IDP systems detect and block spyware. The nice thing about their product is they catagorize the spyware into several differentcatagories: CRITICAL, HIGH, MEDIUM, LOW and INFO. This makes it easier tobuild IDS policies for blocking the critical alerts while only alerting on the low. They currently have over 300 spyware signatures. They have a good IDP product, but I will say that it is excpensive when it comes to the support contract costs. One other thing I think they could improve is providing details or references on spyware signatures like they do with other catagories like HTTP or SMTP. Jay Archibald Student - Norwich University Master of Science in Information Assurance----- Original Message ----- From: <neelabhsharma1 () gmail com>To: <focus-ids () securityfocus com> Sent: Friday, October 07, 2005 12:12 AM Subject: IDS and Spywares ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
------------------------------------------------------------------------
Current thread:
- IDS and Spywares neelabhsharma1 (Oct 07)
- Re: IDS and Spywares Gadi Evron (Oct 07)
- Re: IDS and Spywares Dhruv Soi (Oct 11)
- Re: IDS and Spywares Jay Archibald (Oct 12)
- Re: IDS and Spywares Tim Holman (Oct 14)
- <Possible follow-ups>
- RE: IDS and Spywares Andrew Plato (Oct 07)
- Re: IDS and Spywares Eric Grejda (Oct 11)
- RE: IDS and Spywares Desai, Deepen (Oct 11)
- Re: IDS and Spywares barcajax (Oct 11)
- Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor Jonathan Gauntt (Oct 12)
- Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor Tim Holman (Oct 14)
- Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor byte_jump (Oct 18)
- Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor Frank Knobbe (Oct 18)
- Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor Jason (Oct 18)
- Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor Jason Haar (Oct 18)
- Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor Jonathan Gauntt (Oct 12)