What are some security softwares that provide IPS/IDS malware detection?

[wendy oltman]

Any softwares providing real time malware detection? Can anybody list them. And are they worth the use? 

[Mindovermaster Moderator]

Think Malwarebytes has that, but you have to pay for that.

 

Otherwise, use Linux!

[wendy oltman]

Just had a look at malware bytes, looks good but a bit expensive. 

[Mindovermaster Moderator]

Well, any free ones are going to give you crap, so...

[wendy oltman]

Yeah that is also a valid point. With the recent WannaCry and Petyas I think it is necessary to  get one protection program. So better pay much.  

[+BudMan MVC]

you do understand that both wannacry and petyas are just exploits to something the user did not patch and most likely should not have been running for years anyway.  SMBv1 should of been disabled on your machines years ago   Especially from a security point of view.

 

What you should take away from such things is, keep your stuff up to date with security patches.  Do not run old protocols that you do not actually need/use..  And make sure you have valid and current backup plan

 

edit: From a IDS/IPS point of view that would run at your edge or at your core router in your network, not really on the host..  There are HIDS, or Host intrusion Detection Systems.  The two opensource or free versions that I am aware of are OSSEC and Tripwire had/has an opensource version and there is AIDE as well..

 

https://ossec.github.io/

 

Is the only one that I know of that would run on windows would be ossec, but then only as an agent.  You could also run and agent on alienvaults OSSIM, but this is more really a SIEM and also has a windows agent.  A SIEM would be part of any actual network..  But your not really going to find many deployed in a typical home setup   While I run one - my home network is not in any way or form "typical" hehehe

 

For your typical home users yeah your best sort of solution would be something like malwarebytes.. But I would not really classify that as any sort of IDS or HIDS even..

 

If you ran say a router/firewall distro like pfsense, or ipcop or smoothwall, etc.. Then they have IDS/IPS that run on them snort and suricata.  Keep in mind that running such systems have a huge learning curve and if not correctly setup and maintain will either flood you with false positive (noise) or can pretty much break your network from being to do the stuff you want to do

 

 

[Circaflex]

9 hours ago, Mindovermaster said:

Otherwise, use Linux!

Just last month, there were reports or Erebus resurfacing as a Linux variant of ransomware. Every OS has their flaws, it is a matter of staying up to date and doing your due diligence as the user. Just because you're using linux, doesn't make you impenetrable. Ever heard of Linux.Encoder.1?

[Mindovermaster Moderator]

40 minutes ago, Circaflex said:

Just last month, there were reports or Erebus resurfacing as a Linux variant of ransomware. Every OS has their flaws, it is a matter of staying up to date and doing your due diligence as the user. Just because you're using linux, doesn't make you impenetrable. Ever heard of Linux.Encoder.1?

That was a joke, if you didn't notice. Every OS is vulnerable. I wasn't boasting...

[goretsky Supervisor]

Hello,

Malware-based (or derived) intrusion detection/prevention has been a basic feature of most security suites for years.  The name of the feature set(s) which provide it vary between vendors, but pretty much every vendor out there has some kind of security layer which does this.

 

Regards,

 

Aryeh Goretsky

 

[+BudMan MVC]

What the security suites need to do is stop the user from doing what they want and force them to PATCH Their systems

 

Sorry that is enough p0rn for you now - time to reboot to patch!

[goretsky Supervisor]

Hello,

 

The anti-malware software that I use warns me when one of my systems is missing Windows updates.  I suspect it isn't unique in this, though I don't know how common a feature it is.

Regards,

Aryeh Goretsky

 

 

20 hours ago, BudMan said:

What the security suites need to do is stop the user from doing what they want and force them to PATCH Their systems

 

Sorry that is enough p0rn for you now - time to reboot to patch!

 

[wendy oltman]

On 7/17/2017 at 8:33 PM, BudMan said:

you do understand that both wannacry and petyas are just exploits to something the user did not patch and most likely should not have been running for years anyway.  SMBv1 should of been disabled on your machines years ago   Especially from a security point of view.

 

What you should take away from such things is, keep your stuff up to date with security patches.  Do not run old protocols that you do not actually need/use..  And make sure you have valid and current backup plan

 

edit: From a IDS/IPS point of view that would run at your edge or at your core router in your network, not really on the host..  There are HIDS, or Host intrusion Detection Systems.  The two opensource or free versions that I am aware of are OSSEC and Tripwire had/has an opensource version and there is AIDE as well..

 

https://ossec.github.io/

 

Is the only one that I know of that would run on windows would be ossec, but then only as an agent.  You could also run and agent on alienvaults OSSIM, but this is more really a SIEM and also has a windows agent.  A SIEM would be part of any actual network..  But your not really going to find many deployed in a typical home setup   While I run one - my home network is not in any way or form "typical" hehehe

 

For your typical home users yeah your best sort of solution would be something like malwarebytes.. But I would not really classify that as any sort of IDS or HIDS even..

 

If you ran say a router/firewall distro like pfsense, or ipcop or smoothwall, etc.. Then they have IDS/IPS that run on them snort and suricata.  Keep in mind that running such systems have a huge learning curve and if not correctly setup and maintain will either flood you with false positive (noise) or can pretty much break your network from being to do the stuff you want to do

 

 

Now this was helpful. And yes I also agree that patching mostly does the purpose but I also think that a normal not so techy user must have a system installed that alerts any malware detection since they are becoming so much common. 

[nabz0r Veteran]

On 2017-07-17 at 5:33 PM, BudMan said:

If you ran say a router/firewall distro like pfsense, or ipcop or smoothwall, etc.. Then they have IDS/IPS that run on them snort and suricata.  Keep in mind that running such systems have a huge learning curve and if not correctly setup and maintain will either flood you with false positive (noise) or can pretty much break your network from being to do the stuff you want to do

+1.

I am in the middle of planning to replace my ASA5505 to a pfSense, as this little ASA doesn't have Gig ports, though I haven't found the suitable Mini PC yet. (don't wannt spend too much on it)

[+BudMan MVC]

What is your budget?

[nabz0r Veteran]

4 minutes ago, BudMan said:

What is your budget?

Don't want to hijack this thread but if you meant my budget, I am thinking between 100/150$. I want one of those little mini-itx fanless box with at least 2 gig ports.

[+BudMan MVC]

Well for $149 you could buy the sg-1000, official box from pfsense, that has 2 gig nics    If your thinking of running pfsense anyway would be good option.

 

https://www.netgate.com/products/sg-1000.html

[nabz0r Veteran]

I have heard it's laggy and if I remember correct it doesn't support traffic shaping, not that I will do traffic shaping, but I like to have that option for learning purposes.

[+BudMan MVC]

They resolved that a while ago I do believe, in the 2.4 beta's  Had to do with the drivers not supporting altq

https://redmine.pfsense.org/issues/7199

 

but you could of worked around it with vlans..

[Mando]

On 7/19/2017 at 3:32 PM, wendy oltman said:

Now this was helpful. And yes I also agree that patching mostly does the purpose but I also think that a normal not so techy user must have a system installed that alerts any malware detection since they are becoming so much common. 

now if only windows forced security patches....... combined with something along the lines of Sophos home AV/UTM 

https://home.sophos.com/ 

 

its free for home use.

 

i use my isps ability to filter websites also at the ISP level to sites that are deemed "risky" combined with Webroot Secure anywhere personally. As well as running each users account as a limited user and UAC when and if i need elevated privs.

I kept wannacrypt etc outside of work and at home by 1) patching regularly 2) disabling SMb 1.0 and 3) end user UTM. 4) up to date AV from a good vendor. 5) denying anyone (especially other IT staff) running as adm 24/7.

 

item 5 was the hardest to  implement at work, someone who should know better, but doesn't, same mindset as dont patch Ms stuff, they just break things..../faceplant. Wannacrypt demonstrated how wrong they were.

Edited July 24, 2017 by Mando

[wendy oltman]

 

On 7/25/2017 at 1:52 AM, BudMan said:

They resolved that a while ago I do believe, in the 2.4 beta's  Had to do with the drivers not supporting altq

https://redmine.pfsense.org/issues/7199

 

but you could of worked around it with vlans..

Have you been using it? 

On 7/25/2017 at 2:12 AM, Mando said:

5) denying anyone (especially other IT staff) running as adm 24/7.

What impact does this make? 

[+BudMan MVC]

I have been using the 2.4 beta's for quite some time at home update to current snap every few days, week at the most.  I have no need for any traffic shaping on my network.. So no I have not played with it in 2.4 beta's... I don't have a sg-1000 to play with I run my pfsense at home VM.  I could play with a sg-2440 at work, we are planning on replacing all our old juniper firewall/routers in branch locations here in the US with those..  First 1 has been running in NY office for a while.. Been rock solid, but it has no need for traffic shaping either they have a pretty fat pipe for what its used for and have never seen any issues or need for traffic shaping..  The old juniper couldn't even do 100mbps - now with the pfsense actually getting what we are paying for on that pipe, over even testing we did was over 300mbps.

 

If your not saturating your pipe - traffic shaping can be pointless.  And just cause you slowness and pain when there is no call for it.. If the pipe was new capacity and it carried traffic that needed to be prioritized then ok.  But that is not the case for these connections.

 

What impact does not running admin on your box for doing day to day?  This can be HUGE protection.. You should not be using god account for your day to day stuff.  Say your account is domain admin, which your logged into your machine with... While sure it makes it easy to access pretty much anything at any time.  If you get hit, whatever hit you now can hit anything on your network as god.. Not a good thing   Shoot for that matter a simple mistake on your part and there goes all the user files on a share because you hit the wrong key

 

Min security needed to perform the function is security 101, using your root/god account when your not in god mode is bad idea from any way you look at it..

[Mando]

2 hours ago, wendy oltman said:

 

What impact does this make? 

Wannacrypt and most ransomware requires admin rights to encrypt systemwide, running as limited users minimises the amount of files it can encrypt, if it gets past other layers of protection, its also good security practise never to run with elevated privs day to day, When elevated rights are required, right click run as and enter an admin accounts creds.

 

 in the enterprise it could mean the difference between a minimal number of encrypted files and system wide domain encryption, if the multtiered, multivendor protection is compromised.

[wendy oltman]

Oh great! Now I get it. And yeah it makes sense. Thanks!