Announcement

Collapse
No announcement yet.

IPS? General Discussion

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • IPS? General Discussion

    Long time no post, all.

    Anyways, I just wanted to start a general discussion on IPS, and your guy's thoughts and views on it.

    Since I recently started working for a antivirus company, this roughly new technology has fallen into my lap. For those who dont know what IPS is, Basically Intrusion Prevention Systems do pattern matching, looks for "suspicious" strings, and kills the processes they believe could potenitally be viruses, trojans, etc. IPS can be fully customizable, and with Panda Software, they even boast killing processes of programs that show signs of buffer overflows, with thier TruPrevent Technologies.

    http://www.pandasoftware.com/products/truprevent_tec/

    McAfee has a similar technology called Entercept, however like always with McAfee, they are way more picky about what they add to thier signature file, based on cost, effectiveness of the virus, etc.

    http://www.networkassociates.com/us/...rd_edition.htm

    [EDIT]These things can also act as a mid wife before a suitable definition for a virus fix can be written to the signature file, which also helps with viruses that have not yet been known to the AV companies.[/EDIT]

    Anyways, I just wanted to get this out there and let me know what you guys think about these programs, if you can see any possible exploits, etc.
    Last edited by IcEbLAze; October 26, 2004, 22:35.
    When you draw first blood you can't stop this fight
    For my own piece of mind - I'm going to
    Tear your fucking eyes out
    Rip your fucking flesh off
    Beat you till you're just a fucking lifeless carcass
    Fuck you and your progress
    Watch me fucking regress
    You were meant to take the fall - now you're nothing
    Payback's a bitch motherfucker!

    Slayer - Payback

  • #2
    You can also check out Intrusion

    www.intrusion.com

    Netscreen also has IDS/IPS project too

    And theres always SNORT

    I return whatever i wish . Its called FREEDOWM OF RANDOMNESS IN A HECK . CLUSTERED DEFEATED CORn FORUM . Welcome to me

    Comment


    • #3
      Originally posted by noid
      You can also check out Intrusion

      www.intrusion.com

      And theres always SNORT
      Heh, i believe those are a little bit different buds. Intrustion Detection, yea, it detects, however it doesnt really do anything, which gives major overhead to the admin. Intrustion Prevention creates a set of rules and acts accordingly, which is one of the major benefits of IPS :)
      When you draw first blood you can't stop this fight
      For my own piece of mind - I'm going to
      Tear your fucking eyes out
      Rip your fucking flesh off
      Beat you till you're just a fucking lifeless carcass
      Fuck you and your progress
      Watch me fucking regress
      You were meant to take the fall - now you're nothing
      Payback's a bitch motherfucker!

      Slayer - Payback

      Comment


      • #4
        Originally posted by IcEbLAze
        Heh, i believe those are a little bit different buds. Intrustion Detection, yea, it detects, however it doesnt really do anything, which gives major overhead to the admin. Intrustion Prevention creates a set of rules and acts accordingly, which is one of the major benefits of IPS :)

        Also these things are meant to be implemented on the host machines, rather then a front lines deal like IDS. Just wanted to point that out as well
        When you draw first blood you can't stop this fight
        For my own piece of mind - I'm going to
        Tear your fucking eyes out
        Rip your fucking flesh off
        Beat you till you're just a fucking lifeless carcass
        Fuck you and your progress
        Watch me fucking regress
        You were meant to take the fall - now you're nothing
        Payback's a bitch motherfucker!

        Slayer - Payback

        Comment


        • #5
          I'd suggest reading up on those packages before making blanket generalizations on them. Both the Intrusion and Netscreen products are NIDS packages with IPS functionality.

          I return whatever i wish . Its called FREEDOWM OF RANDOMNESS IN A HECK . CLUSTERED DEFEATED CORn FORUM . Welcome to me

          Comment


          • #6
            Originally posted by IcEbLAze
            Also these things are meant to be implemented on the host machines, rather then a front lines deal like IDS. Just wanted to point that out as well
            You are talking about two different beasts, host IDS (hIDS) and network (nIDS), just for the record.

            I've used Snort as an IDS, and also with Hogwash to make Snort an IPS. Hogwash was a very early effort, but Snort-Inline has taken it's place. http://snort-inline.sourceforge.net/ Note you can use Snort as a nIDS or hIDS depending on how robust your workstation is.

            As far as other hIDS, hIPS my experience has been with Enterasys Dragon, not favorably, but I can't impress enough the impact of *tuning* your device.
            Aut disce aut discede

            Comment


            • #7
              Originally posted by AlxRogan
              You are talking about two different beasts, host IDS (hIDS) and network (nIDS), just for the record.

              I've used Snort as an IDS, and also with Hogwash to make Snort an IPS. Hogwash was a very early effort, but Snort-Inline has taken it's place. http://snort-inline.sourceforge.net/ Note you can use Snort as a nIDS or hIDS depending on how robust your workstation is.

              As far as other hIDS, hIPS my experience has been with Enterasys Dragon, not favorably, but I can't impress enough the impact of *tuning* your device.

              Of course keeping patched boxes and "tuning" are musts, however I just wanted to kinda give a larger sight here to how very handy IPS can be. Having a Front line network IDS coupled with IPS services can prove to be very effective. If some small company cannot afford 1u antivirus defense systems, so you have everything going through a linux box, I especially believe these technologies can prove to be a *very* nice compliment on top of mainstream AV programs. I also suppose I am more interested in how they can kill processes on the host box that prove to have poor code and result in buffer overflow.

              keep em comming!
              When you draw first blood you can't stop this fight
              For my own piece of mind - I'm going to
              Tear your fucking eyes out
              Rip your fucking flesh off
              Beat you till you're just a fucking lifeless carcass
              Fuck you and your progress
              Watch me fucking regress
              You were meant to take the fall - now you're nothing
              Payback's a bitch motherfucker!

              Slayer - Payback

              Comment


              • #8
                Originally posted by IcEbLAze

                keep em comming!

                As soon as you say you're sorry to noid.

                Comment


                • #9
                  Originally posted by highwizard
                  As soon as you say you're sorry to noid.
                  Haha, yea I apologize for that. However for the record I direct quoted him in the first post before he added netscreen. Then again I did not know intrusion had IPS capabilites.
                  When you draw first blood you can't stop this fight
                  For my own piece of mind - I'm going to
                  Tear your fucking eyes out
                  Rip your fucking flesh off
                  Beat you till you're just a fucking lifeless carcass
                  Fuck you and your progress
                  Watch me fucking regress
                  You were meant to take the fall - now you're nothing
                  Payback's a bitch motherfucker!

                  Slayer - Payback

                  Comment


                  • #10
                    Ips

                    Hi!

                    Just came back from a McAfee Live Attack Roadshow, and i must say that it was quite impressive.

                    We ran some live attacks using My.Doom and Blaster.

                    Entercept was able to pick this up, literally in a matter of seconds, and began to launch preventative measures.

                    Being a devout Snort user, i decided to find out, how i can configure snort to do something like this, and came accross snort-inline. Seems pretty good, but still needs some tweaking.
                    I still need to figure out a way to make sure that false intrusions, do not cause problems with trusted traffic.
                    Also, need to be able to use iptables well (a bit lazy, I use firestarter to setup firewalls!)

                    I also aggree that IPS should be focused on the hosts, rather than the perimeter gateway, as threats not only appear from the wild, but internally as well.

                    There is a snort win32 binary available....
                    With the right packaging, and configuration (Central DB, rules, etc) it would be possible to implement/design a completley GNU IPS?

                    I still have many IDSĀ“s in various networks based on snort, and was wondering:
                    Is it the end for IDS?
                    in the begining, there was the command line....

                    Comment


                    • #11
                      I agree for it to be on the perimeter gateway rather that running it on a hosts
                      My Digital Signature
                      -----BEGIN PGP SIGNATURE-----
                      Version: GnuPG v1.4.0 (FreeBSD)
                      iD8DBQFDT5qLzIuaDTU+nSQRAi6pAJwIT/AhD
                      QlSh5A2E7bUh2p2EdRvFwCgliEm
                      MIOm7jW92AmMKk7mShBHmTE==7o7u
                      -----END PGP SIGNATURE-----

                      Comment


                      • #12
                        re: IPS

                        perhaps, a bit of both:

                        Hosts, and Perimeter - with a central DB?
                        in the begining, there was the command line....

                        Comment


                        • #13
                          Originally posted by maddhatter
                          We ran some live attacks using My.Doom and Blaster.
                          Interesting that they chose two worms sufficiently old enough that every AV package on the face of the planet pickes them up, never mind IPS (and even some IDSes).

                          Entercept was able to pick this up, literally in a matter of seconds, and began to launch preventative measures.
                          Woohoo!

                          Being a devout Snort user, i decided to find out, how i can configure snort to do something like this, and came accross snort-inline. Seems pretty good, but still needs some tweaking.
                          You might want to check out either Snortsam or snort-2.4.x - both support dynamic blocking, and snort-inline was rolled into snort proper in (IIRC) the 2.3 series.

                          I still need to figure out a way to make sure that false intrusions, do not cause problems with trusted traffic.
                          1) Tailor the detection set to your specific environment.
                          2) Run it live, see what breaks.
                          3) Based on 2) above, disable known-false-positive signatures as necessary.
                          4) Repeat 2) and 3) above.
                          5) Profit.

                          Also, need to be able to use iptables well (a bit lazy, I use firestarter to setup firewalls!)
                          http://www.iptables.org/

                          I also aggree that IPS should be focused on the hosts, rather than the perimeter gateway, as threats not only appear from the wild, but internally as well.
                          And any IPS is only as good as what it knows how to detect. And what kind of IPS are we talking about, signature-based, heuristic, something else?

                          Anything that has to run on a host machine used by people that aren't you (i.e., every PC in, say, the typical networked enterprise environment) is open to tampering, deliberate or otherwise. Deploy IPS to every desktop and watch how fast the users break it - and the one thing that can be worse than having no tools to work with is having only *broken* tools to work with. Summary: keep watching the network.

                          There is a snort win32 binary available....
                          With the right packaging, and configuration (Central DB, rules, etc) it would be possible to implement/design a completley GNU IPS?
                          Yeah, but you wouldn't want to base it on Windows. Sourcefire already does what you're talking about, btw. And fuck GNU and their happy-clappy 'licensing' bullshit.

                          I still have many IDS´s in various networks based on snort, and was wondering:
                          Is it the end for IDS?
                          God, if I had a nickel for every time I'd heard this I'd have a shitload of nickels on my desk, so: emphatically, NO. Think, don't buy into marketing hype.

                          Comment


                          • #14
                            Originally posted by skroo
                            Interesting that they chose two worms sufficiently old enough that every AV package on the face of the planet pickes them up, never mind IPS (and even some IDSes).



                            Woohoo!



                            You might want to check out either Snortsam or snort-2.4.x - both support dynamic blocking, and snort-inline was rolled into snort proper in (IIRC) the 2.3 series.



                            1) Tailor the detection set to your specific environment.
                            2) Run it live, see what breaks.
                            3) Based on 2) above, disable known-false-positive signatures as necessary.
                            4) Repeat 2) and 3) above.
                            5) Profit.



                            http://www.iptables.org/



                            And any IPS is only as good as what it knows how to detect. And what kind of IPS are we talking about, signature-based, heuristic, something else?

                            maddhatter: it is currently sig based, using unforunately bleeding edge, and some of my own rules, since sourcefire starting charging for rules.

                            Anything that has to run on a host machine used by people that aren't you (i.e., every PC in, say, the typical networked enterprise environment) is open to tampering, deliberate or otherwise. Deploy IPS to every desktop and watch how fast the users break it - and the one thing that can be worse than having no tools to work with is having only *broken* tools to work with. Summary: keep watching the network.

                            maddhatter: understood

                            Yeah, but you wouldn't want to base it on Windows. Sourcefire already does what you're talking about, btw. And fuck GNU and their happy-clappy 'licensing' bullshit.

                            maddhatter: sad to hear you feel that way!

                            God, if I had a nickel for every time I'd heard this I'd have a shitload of nickels on my desk, so: emphatically, NO. Think, don't buy into marketing hype.
                            maddhatter: Thanks for your valuable input.
                            out with snort-inline, and in with SnortSAM.

                            God bless.
                            in the begining, there was the command line....

                            Comment


                            • #15
                              Originally posted by maddhatter
                              maddhatter: Thanks for your valuable input.
                              out with snort-inline, and in with SnortSAM.
                              No worries. BTW, make sure to pay attention to the bindip directive in snortsam.conf - if you don't, it'll listen on all interfaces by default, and you probably don't want to expose that to the outside world.

                              Comment

                              Working...
                              X