What are some security softwares that provide IPS/IDS malware detection?

By wendy oltman
in Smart Home, Network & Security

 Share

Recommended Posts

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

you do understand that both wannacry and petyas are just exploits to something the user did not patch and most likely should not have been running for years anyway.  SMBv1 should of been disabled on your machines years ago ;)  Especially from a security point of view.

 

What you should take away from such things is, keep your stuff up to date with security patches.  Do not run old protocols that you do not actually need/use..  And make sure you have valid and current backup plan ;)

 

edit: From a IDS/IPS point of view that would run at your edge or at your core router in your network, not really on the host..  There are HIDS, or Host intrusion Detection Systems.  The two opensource or free versions that I am aware of are OSSEC and Tripwire had/has an opensource version and there is AIDE as well..

 

https://ossec.github.io/

 

Is the only one that I know of that would run on windows would be ossec, but then only as an agent.  You could also run and agent on alienvaults OSSIM, but this is more really a SIEM and also has a windows agent.  A SIEM would be part of any actual network..  But your not really going to find many deployed in a typical home setup ;)  While I run one - my home network is not in any way or form "typical" hehehe

 

For your typical home users yeah your best sort of solution would be something like malwarebytes.. But I would not really classify that as any sort of IDS or HIDS even..

 

If you ran say a router/firewall distro like pfsense, or ipcop or smoothwall, etc.. Then they have IDS/IPS that run on them snort and suricata.  Keep in mind that running such systems have a huge learning curve and if not correctly setup and maintain will either flood you with false positive (noise) or can pretty much break your network from being to do the stuff you want to do ;)

 

 

  • wendy oltman, Mindovermaster, goretsky and 1 other
  • Like 4
Grand Master

Circaflex

Posted
Posted (edited)
9 hours ago, Mindovermaster said:

Otherwise, use Linux! :laugh:

Just last month, there were reports or Erebus resurfacing as a Linux variant of ransomware. Every OS has their flaws, it is a matter of staying up to date and doing your due diligence as the user. Just because you're using linux, doesn't make you impenetrable. Ever heard of Linux.Encoder.1?

Grand Master

Mindovermaster Global Moderator

Posted
  • Global Moderator
Posted
40 minutes ago, Circaflex said:

Just last month, there were reports or Erebus resurfacing as a Linux variant of ransomware. Every OS has their flaws, it is a matter of staying up to date and doing your due diligence as the user. Just because you're using linux, doesn't make you impenetrable. Ever heard of Linux.Encoder.1?

That was a joke, if you didn't notice. Every OS is vulnerable. I wasn't boasting...

  • wendy oltman
  • Like 1
Grand Master

goretsky Supervisor

Posted
  • Supervisor
Posted

Hello,


Malware-based (or derived) intrusion detection/prevention has been a basic feature of most security suites for years.  The name of the feature set(s) which provide it vary between vendors, but pretty much every vendor out there has some kind of security layer which does this.

 

Regards,

 

Aryeh Goretsky

 

  • wendy oltman
  • Like 1
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

What the security suites need to do is stop the user from doing what they want and force them to PATCH Their systems ;)

 

Sorry that is enough p0rn for you now - time to reboot to patch!

  • goretsky and Mando
  • Like 2
Grand Master

goretsky Supervisor

Posted
  • Supervisor
Posted

Hello,

 

The anti-malware software that I use warns me when one of my systems is missing Windows updates.  I suspect it isn't unique in this, though I don't know how common a feature it is.

Regards,

Aryeh Goretsky

 

 

20 hours ago, BudMan said:

What the security suites need to do is stop the user from doing what they want and force them to PATCH Their systems ;)

 

Sorry that is enough p0rn for you now - time to reboot to patch!

 

Rising Star

wendy oltman

Posted
  • Author
Posted
On 7/17/2017 at 8:33 PM, BudMan said:

you do understand that both wannacry and petyas are just exploits to something the user did not patch and most likely should not have been running for years anyway.  SMBv1 should of been disabled on your machines years ago ;)  Especially from a security point of view.

 

What you should take away from such things is, keep your stuff up to date with security patches.  Do not run old protocols that you do not actually need/use..  And make sure you have valid and current backup plan ;)

 

edit: From a IDS/IPS point of view that would run at your edge or at your core router in your network, not really on the host..  There are HIDS, or Host intrusion Detection Systems.  The two opensource or free versions that I am aware of are OSSEC and Tripwire had/has an opensource version and there is AIDE as well..

 

https://ossec.github.io/

 

Is the only one that I know of that would run on windows would be ossec, but then only as an agent.  You could also run and agent on alienvaults OSSIM, but this is more really a SIEM and also has a windows agent.  A SIEM would be part of any actual network..  But your not really going to find many deployed in a typical home setup ;)  While I run one - my home network is not in any way or form "typical" hehehe

 

For your typical home users yeah your best sort of solution would be something like malwarebytes.. But I would not really classify that as any sort of IDS or HIDS even..

 

If you ran say a router/firewall distro like pfsense, or ipcop or smoothwall, etc.. Then they have IDS/IPS that run on them snort and suricata.  Keep in mind that running such systems have a huge learning curve and if not correctly setup and maintain will either flood you with false positive (noise) or can pretty much break your network from being to do the stuff you want to do ;)

 

 

Now this was helpful. And yes I also agree that patching mostly does the purpose but I also think that a normal not so techy user must have a system installed that alerts any malware detection since they are becoming so much common. 

Veteran

nabz0r Veteran

Posted
  • Veteran
Posted
On 2017-07-17 at 5:33 PM, BudMan said:

If you ran say a router/firewall distro like pfsense, or ipcop or smoothwall, etc.. Then they have IDS/IPS that run on them snort and suricata.  Keep in mind that running such systems have a huge learning curve and if not correctly setup and maintain will either flood you with false positive (noise) or can pretty much break your network from being to do the stuff you want to do ;)

+1.

I am in the middle of planning to replace my ASA5505 to a pfSense, as this little ASA doesn't have Gig ports, though I haven't found the suitable Mini PC yet. (don't wannt spend too much on it)

Veteran

nabz0r Veteran

Posted
  • Veteran
Posted
4 minutes ago, BudMan said:

What is your budget?

Don't want to hijack this thread but if you meant my budget, I am thinking between 100/150$. I want one of those little mini-itx fanless box with at least 2 gig ports.

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

Well for $149 you could buy the sg-1000, official box from pfsense, that has 2 gig nics ;)   If your thinking of running pfsense anyway would be good option.

 

https://www.netgate.com/products/sg-1000.html

Veteran

nabz0r Veteran

Posted
  • Veteran
Posted

I have heard it's laggy and if I remember correct it doesn't support traffic shaping, not that I will do traffic shaping, but I like to have that option for learning purposes. ;)

  • wendy oltman
  • Like 1
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

They resolved that a while ago I do believe, in the 2.4 beta's  Had to do with the drivers not supporting altq

https://redmine.pfsense.org/issues/7199

 

but you could of worked around it with vlans..

Grand Master

Mando

Posted
Posted (edited)
On 7/19/2017 at 3:32 PM, wendy oltman said:

Now this was helpful. And yes I also agree that patching mostly does the purpose but I also think that a normal not so techy user must have a system installed that alerts any malware detection since they are becoming so much common. 

now if only windows forced security patches....... :) combined with something along the lines of Sophos home AV/UTM 

https://home.sophos.com/ 

 

its free for home use.

 

i use my isps ability to filter websites also at the ISP level to sites that are deemed "risky" combined with Webroot Secure anywhere personally. As well as running each users account as a limited user and UAC when and if i need elevated privs.

I kept wannacrypt etc outside of work and at home by 1) patching regularly 2) disabling SMb 1.0 and 3) end user UTM. 4) up to date AV from a good vendor. 5) denying anyone (especially other IT staff) running as adm 24/7.

 

item 5 was the hardest to  implement at work, someone who should know better, but doesn't, same mindset as dont patch Ms stuff, they just break things..../faceplant. Wannacrypt demonstrated how wrong they were.

Edited by Mando
  • wendy oltman
  • Like 1
Rising Star

wendy oltman

Posted
  • Author
Posted

 

On 7/25/2017 at 1:52 AM, BudMan said:

They resolved that a while ago I do believe, in the 2.4 beta's  Had to do with the drivers not supporting altq

https://redmine.pfsense.org/issues/7199

 

but you could of worked around it with vlans..

Have you been using it? 

On 7/25/2017 at 2:12 AM, Mando said:

5) denying anyone (especially other IT staff) running as adm 24/7.

What impact does this make? 

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

I have been using the 2.4 beta's for quite some time at home update to current snap every few days, week at the most.  I have no need for any traffic shaping on my network.. So no I have not played with it in 2.4 beta's... I don't have a sg-1000 to play with I run my pfsense at home VM.  I could play with a sg-2440 at work, we are planning on replacing all our old juniper firewall/routers in branch locations here in the US with those..  First 1 has been running in NY office for a while.. Been rock solid, but it has no need for traffic shaping either they have a pretty fat pipe for what its used for and have never seen any issues or need for traffic shaping..  The old juniper couldn't even do 100mbps - now with the pfsense actually getting what we are paying for on that pipe, over even testing we did was over 300mbps.

 

If your not saturating your pipe - traffic shaping can be pointless.  And just cause you slowness and pain when there is no call for it.. If the pipe was new capacity and it carried traffic that needed to be prioritized then ok.  But that is not the case for these connections.

 

What impact does not running admin on your box for doing day to day?  This can be HUGE protection.. You should not be using god account for your day to day stuff.  Say your account is domain admin, which your logged into your machine with... While sure it makes it easy to access pretty much anything at any time.  If you get hit, whatever hit you now can hit anything on your network as god.. Not a good thing ;)  Shoot for that matter a simple mistake on your part and there goes all the user files on a share because you hit the wrong key ;)

 

Min security needed to perform the function is security 101, using your root/god account when your not in god mode is bad idea from any way you look at it..

  • Mando and wendy oltman
  • Like 2
Grand Master

Mando

Posted
Posted
2 hours ago, wendy oltman said:

 

What impact does this make? 

Wannacrypt and most ransomware requires admin rights to encrypt systemwide, running as limited users minimises the amount of files it can encrypt, if it gets past other layers of protection, its also good security practise never to run with elevated privs day to day, When elevated rights are required, right click run as and enter an admin accounts creds.

 

 in the enterprise it could mean the difference between a minimal number of encrypted files and system wide domain encryption, if the multtiered, multivendor protection is compromised.

  • wendy oltman
  • Like 1
This topic is now closed to further replies.
 Share
Go to topic listing

  • Posts

    • The Light of Life? We actually do glow till our Death, study finds

      By Liberi_Fatali · Posted

      Interesting image choice... reminds me of the human centipede poster
    • Why you need to take back control of your synced passwords and how to go about doing that

      By +Warwagon · Posted

      I love syncback!
    • Politically funny images of the World

      By +primortal · Posted

    • Get $50 of aloSIM Mobile Data Traveler eSim credit for just $24.97

      By News Staff · Posted

      Get $50 of aloSIM Mobile Data Traveler eSim credit for just $24.97 by Steven Parker Today's highlighted deal comes via our Apps + Software section of the Neowin Deals store, where you can save 50% off aloSIM Mobile Data Traveler Lifetime eSim Credit: Pay $24.97 for $50. Stay connected affordably in 120+ countries/regions with your own lifetime eSIM! An eSIM is a digital SIM card. It's basically just mobile data. Once it's activated on your device, it can connect you to data networks in other countries – giving you an internet connection with NO roaming charges. With aloSIM, you can load prepaid eSIM data packages onto your phone, tablet, or computer. Your lifetime eSIM never expires, so it's yours forever and there are never any monthly charges. You'll get $50 in eSIM data credit, which is almost always enough to cover all your data roaming needs for a full year. But if you run out of data, you can always top up your lifetime eSIM and stay connected internationally. Pay $24.97 for a lifetime eSIM with $50 in travel data credit Use your eSIM to join data networks in 120+ countries Install your lifetime eSIM on a compatible device to roam on local data networks Your lifetime eSIM never expires, and can be topped up with more data anytime Many data packages cost as little as $4.50 and last 7 days. Depending on the package you choose, the length of time varies. Good to know Length of access: lifetime For NEW customers only Instant digital redemption Once you add your $50 credit to your aloSim account you have up to 12-months to use it — after that your credit will expire When you pay for a data plan you also get a free phone number (via Hushed) for the same duration of your plan that was purchased - IE 7 day eSim plan gives you a free 7-day phone number Purchased coupon must be redeemed and used within 12 months This deal is not stackable (one offer per aloSIM account) A $4.50 data package will last 7 days The data DOES expire, and you WILL NOT have any leftover data for your next trip unless it takes place within the validity period. While the eSIM never expires, the actual data package is only valid for the length of time stated at purchase (i.e. seven days after activation, 30 days after activation, etc.) So if you buy a seven-day package and only use a tiny bit, that package is still going to expire after seven days. Access options: mobile (check compatibility) Max number of device(s): 1 Updates included Here's the deal: This aloSIM Mobile Data Traveler eSim $50 Credit normally costs ... $50, but it can be yours for just $24.97 for a limited time, a saving of $25 (50% off). For specifications, and license info please click the link below. Get this aloSIM Mobile Data Traveler eSim for just $24.97 (was $50) Although priced in U.S. dollars, this deal is available for digital purchase worldwide. Support queries If you have queries or need support for any of the Neowin Deals, please use the contact form here. Neowin Deals are managed and sold by StackCommerce who represent Neowin on an affiliate basis. Why we post these deals We post these because we earn commission on each sale so as not to rely solely on advertising, which many of our readers block. It all helps toward paying staff reporters, servers and hosting costs. So for those that keep moaning and complaining, be thankful we're still online for you to even do that. Other ways to support Neowin Whitelist Neowin by not blocking our ads Create a free member account to see fewer ads Make a donation to support our day to day running costs Subscribe to Neowin - for $14 a year, or $28 a year for an ad-free experience Disclosure: Neowin benefits from revenue of each sale made through our branded deals site powered by StackCommerce.
    • The Microsoft Office feature that time forgot

      By Fraud OS 11 · Posted

      WordArt was cool. We now have color fonts as a substitute although Word only supports COLRv0 and COLRv1 (Fraud OS 11 only). The OpenType SVG color font format needs to be supported by Office. Adobe's apps support it

  • Recent Achievements

    • First Post
      DrWankel earned a badge
      First Post
    • Reacting Well
      DrWankel earned a badge
      Reacting Well
    • Week One Done
      Supreme Spray LV earned a badge
      Week One Done
    • One Month Later
      Genuinetonerink- Dubai earned a badge
      One Month Later
    • Week One Done
      Genuinetonerink- Dubai earned a badge
      Week One Done

  • Popular Contributors

    1. 1
      +primortal
      498
    2. 2
      +Edouard
      158
    3. 3
      PsYcHoKiLLa
      90
    4. 4
      Steven P.
      74
    5. 5
      Michael Scrip
      72
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!