What are some security softwares that provide IPS/IDS malware detection?

By wendy oltman
in Smart Home, Network & Security

 Share

Recommended Posts

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

you do understand that both wannacry and petyas are just exploits to something the user did not patch and most likely should not have been running for years anyway.  SMBv1 should of been disabled on your machines years ago ;)  Especially from a security point of view.

 

What you should take away from such things is, keep your stuff up to date with security patches.  Do not run old protocols that you do not actually need/use..  And make sure you have valid and current backup plan ;)

 

edit: From a IDS/IPS point of view that would run at your edge or at your core router in your network, not really on the host..  There are HIDS, or Host intrusion Detection Systems.  The two opensource or free versions that I am aware of are OSSEC and Tripwire had/has an opensource version and there is AIDE as well..

 

https://ossec.github.io/

 

Is the only one that I know of that would run on windows would be ossec, but then only as an agent.  You could also run and agent on alienvaults OSSIM, but this is more really a SIEM and also has a windows agent.  A SIEM would be part of any actual network..  But your not really going to find many deployed in a typical home setup ;)  While I run one - my home network is not in any way or form "typical" hehehe

 

For your typical home users yeah your best sort of solution would be something like malwarebytes.. But I would not really classify that as any sort of IDS or HIDS even..

 

If you ran say a router/firewall distro like pfsense, or ipcop or smoothwall, etc.. Then they have IDS/IPS that run on them snort and suricata.  Keep in mind that running such systems have a huge learning curve and if not correctly setup and maintain will either flood you with false positive (noise) or can pretty much break your network from being to do the stuff you want to do ;)

 

 

  • Mindovermaster, goretsky, wendy oltman and 1 other
  • Like 4
Grand Master

Circaflex

Posted
Posted (edited)
9 hours ago, Mindovermaster said:

Otherwise, use Linux! :laugh:

Just last month, there were reports or Erebus resurfacing as a Linux variant of ransomware. Every OS has their flaws, it is a matter of staying up to date and doing your due diligence as the user. Just because you're using linux, doesn't make you impenetrable. Ever heard of Linux.Encoder.1?

Grand Master

Mindovermaster Global Moderator

Posted
  • Global Moderator
Posted
40 minutes ago, Circaflex said:

Just last month, there were reports or Erebus resurfacing as a Linux variant of ransomware. Every OS has their flaws, it is a matter of staying up to date and doing your due diligence as the user. Just because you're using linux, doesn't make you impenetrable. Ever heard of Linux.Encoder.1?

That was a joke, if you didn't notice. Every OS is vulnerable. I wasn't boasting...

  • wendy oltman
  • Like 1
Grand Master

goretsky Supervisor

Posted
  • Supervisor
Posted

Hello,


Malware-based (or derived) intrusion detection/prevention has been a basic feature of most security suites for years.  The name of the feature set(s) which provide it vary between vendors, but pretty much every vendor out there has some kind of security layer which does this.

 

Regards,

 

Aryeh Goretsky

 

  • wendy oltman
  • Like 1
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

What the security suites need to do is stop the user from doing what they want and force them to PATCH Their systems ;)

 

Sorry that is enough p0rn for you now - time to reboot to patch!

  • Mando and goretsky
  • Like 2
Grand Master

goretsky Supervisor

Posted
  • Supervisor
Posted

Hello,

 

The anti-malware software that I use warns me when one of my systems is missing Windows updates.  I suspect it isn't unique in this, though I don't know how common a feature it is.

Regards,

Aryeh Goretsky

 

 

20 hours ago, BudMan said:

What the security suites need to do is stop the user from doing what they want and force them to PATCH Their systems ;)

 

Sorry that is enough p0rn for you now - time to reboot to patch!

 

Rising Star

wendy oltman

Posted
  • Author
Posted
On 7/17/2017 at 8:33 PM, BudMan said:

you do understand that both wannacry and petyas are just exploits to something the user did not patch and most likely should not have been running for years anyway.  SMBv1 should of been disabled on your machines years ago ;)  Especially from a security point of view.

 

What you should take away from such things is, keep your stuff up to date with security patches.  Do not run old protocols that you do not actually need/use..  And make sure you have valid and current backup plan ;)

 

edit: From a IDS/IPS point of view that would run at your edge or at your core router in your network, not really on the host..  There are HIDS, or Host intrusion Detection Systems.  The two opensource or free versions that I am aware of are OSSEC and Tripwire had/has an opensource version and there is AIDE as well..

 

https://ossec.github.io/

 

Is the only one that I know of that would run on windows would be ossec, but then only as an agent.  You could also run and agent on alienvaults OSSIM, but this is more really a SIEM and also has a windows agent.  A SIEM would be part of any actual network..  But your not really going to find many deployed in a typical home setup ;)  While I run one - my home network is not in any way or form "typical" hehehe

 

For your typical home users yeah your best sort of solution would be something like malwarebytes.. But I would not really classify that as any sort of IDS or HIDS even..

 

If you ran say a router/firewall distro like pfsense, or ipcop or smoothwall, etc.. Then they have IDS/IPS that run on them snort and suricata.  Keep in mind that running such systems have a huge learning curve and if not correctly setup and maintain will either flood you with false positive (noise) or can pretty much break your network from being to do the stuff you want to do ;)

 

 

Now this was helpful. And yes I also agree that patching mostly does the purpose but I also think that a normal not so techy user must have a system installed that alerts any malware detection since they are becoming so much common. 

Veteran

nabz0r Veteran

Posted
  • Veteran
Posted
On 2017-07-17 at 5:33 PM, BudMan said:

If you ran say a router/firewall distro like pfsense, or ipcop or smoothwall, etc.. Then they have IDS/IPS that run on them snort and suricata.  Keep in mind that running such systems have a huge learning curve and if not correctly setup and maintain will either flood you with false positive (noise) or can pretty much break your network from being to do the stuff you want to do ;)

+1.

I am in the middle of planning to replace my ASA5505 to a pfSense, as this little ASA doesn't have Gig ports, though I haven't found the suitable Mini PC yet. (don't wannt spend too much on it)

Veteran

nabz0r Veteran

Posted
  • Veteran
Posted
4 minutes ago, BudMan said:

What is your budget?

Don't want to hijack this thread but if you meant my budget, I am thinking between 100/150$. I want one of those little mini-itx fanless box with at least 2 gig ports.

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

Well for $149 you could buy the sg-1000, official box from pfsense, that has 2 gig nics ;)   If your thinking of running pfsense anyway would be good option.

 

https://www.netgate.com/products/sg-1000.html

Veteran

nabz0r Veteran

Posted
  • Veteran
Posted

I have heard it's laggy and if I remember correct it doesn't support traffic shaping, not that I will do traffic shaping, but I like to have that option for learning purposes. ;)

  • wendy oltman
  • Like 1
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

They resolved that a while ago I do believe, in the 2.4 beta's  Had to do with the drivers not supporting altq

https://redmine.pfsense.org/issues/7199

 

but you could of worked around it with vlans..

Grand Master

Mando

Posted
Posted (edited)
On 7/19/2017 at 3:32 PM, wendy oltman said:

Now this was helpful. And yes I also agree that patching mostly does the purpose but I also think that a normal not so techy user must have a system installed that alerts any malware detection since they are becoming so much common. 

now if only windows forced security patches....... :) combined with something along the lines of Sophos home AV/UTM 

https://home.sophos.com/ 

 

its free for home use.

 

i use my isps ability to filter websites also at the ISP level to sites that are deemed "risky" combined with Webroot Secure anywhere personally. As well as running each users account as a limited user and UAC when and if i need elevated privs.

I kept wannacrypt etc outside of work and at home by 1) patching regularly 2) disabling SMb 1.0 and 3) end user UTM. 4) up to date AV from a good vendor. 5) denying anyone (especially other IT staff) running as adm 24/7.

 

item 5 was the hardest to  implement at work, someone who should know better, but doesn't, same mindset as dont patch Ms stuff, they just break things..../faceplant. Wannacrypt demonstrated how wrong they were.

Edited by Mando
  • wendy oltman
  • Like 1
Rising Star

wendy oltman

Posted
  • Author
Posted

 

On 7/25/2017 at 1:52 AM, BudMan said:

They resolved that a while ago I do believe, in the 2.4 beta's  Had to do with the drivers not supporting altq

https://redmine.pfsense.org/issues/7199

 

but you could of worked around it with vlans..

Have you been using it? 

On 7/25/2017 at 2:12 AM, Mando said:

5) denying anyone (especially other IT staff) running as adm 24/7.

What impact does this make? 

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

I have been using the 2.4 beta's for quite some time at home update to current snap every few days, week at the most.  I have no need for any traffic shaping on my network.. So no I have not played with it in 2.4 beta's... I don't have a sg-1000 to play with I run my pfsense at home VM.  I could play with a sg-2440 at work, we are planning on replacing all our old juniper firewall/routers in branch locations here in the US with those..  First 1 has been running in NY office for a while.. Been rock solid, but it has no need for traffic shaping either they have a pretty fat pipe for what its used for and have never seen any issues or need for traffic shaping..  The old juniper couldn't even do 100mbps - now with the pfsense actually getting what we are paying for on that pipe, over even testing we did was over 300mbps.

 

If your not saturating your pipe - traffic shaping can be pointless.  And just cause you slowness and pain when there is no call for it.. If the pipe was new capacity and it carried traffic that needed to be prioritized then ok.  But that is not the case for these connections.

 

What impact does not running admin on your box for doing day to day?  This can be HUGE protection.. You should not be using god account for your day to day stuff.  Say your account is domain admin, which your logged into your machine with... While sure it makes it easy to access pretty much anything at any time.  If you get hit, whatever hit you now can hit anything on your network as god.. Not a good thing ;)  Shoot for that matter a simple mistake on your part and there goes all the user files on a share because you hit the wrong key ;)

 

Min security needed to perform the function is security 101, using your root/god account when your not in god mode is bad idea from any way you look at it..

  • wendy oltman and Mando
  • Like 2
Grand Master

Mando

Posted
Posted
2 hours ago, wendy oltman said:

 

What impact does this make? 

Wannacrypt and most ransomware requires admin rights to encrypt systemwide, running as limited users minimises the amount of files it can encrypt, if it gets past other layers of protection, its also good security practise never to run with elevated privs day to day, When elevated rights are required, right click run as and enter an admin accounts creds.

 

 in the enterprise it could mean the difference between a minimal number of encrypted files and system wide domain encryption, if the multtiered, multivendor protection is compromised.

  • wendy oltman
  • Like 1
This topic is now closed to further replies.
 Share
Go to topic listing

  • Posts

    • MakeMKV 1.18.4 Beta

      By +Eternal Tempest · Posted

      Same Internet Archive seemed to grab the new version https://web.archive.org/web/20...d/Setup_MakeMKV_v1.18.4.exe
    • Windows 11 KB5094126, KB5093998 bugging out Office apps but it may not be Microsoft's fault

      By hellowalkman · Posted

      Windows 11 KB5094126, KB5093998 bugging out Office apps but it may not be Microsoft's fault by Sayan Sen Microsoft last week released Windows 11 KB5094126 and KB5093998 as the latest Patch Tuesday updates. Following that the company also published the accompanying dynamic updates under KB5094149, KB5095971, and KB5094156. Although the tech giant did not acknowledge any major problems, some users online reported various issues ranging from OneDrive and Dropbox access problems, BitLocker recovery lockouts, to blue screens and BSODs. You can read about them in this dedicated piece. While there is still no confirmation about those problems from Microsoft the company has admitted to another bug which we did not report on. The tech giant has confirmed it has received reports of an issue in which certain third-party applications may be unable to launch Microsoft Office apps or open Office documents after installing the Patch Tuesday. This affects both Windows 11 as well as Windows 10. The company says the problem impacts a subset of applications that rely on OLE (Object Linking and Embedding) automation to communicate with Microsoft Office programs. According to Microsoft, affected scenarios involve third-party software attempting to open Office applications or documents from within their own interface. In such cases, the Office program may fail to launch altogether, or the requested document may not open. Oddly there may not be any error message, which probably makes the issue difficult to diagnose. The bug affects several Office products, including Word, Excel, PowerPoint, Access, and other apps in the Microsoft Office suite when they are launched through the affected software. These include tax and accounting software such as CCH Engagement and Workpaper Manager, dental practice management solutions like Dentrix and Softdent, as well as the popular research and reference management tool Zotero. Microsoft adds that other applications using similar Office integration methods could also experience the same problematic behavior. To understand the issue it is important to look at OLE, the Microsoft technology involved. OLE allows different applications to work together and share data, while its Automation feature lets one program control another. Thus this enables third-party software to launch Microsoft Office apps, open documents, and perform tasks automatically without requiring users to switch between programs. Because many accounting, healthcare, research, and business applications rely on OLE automation to interact with Word, Excel, PowerPoint, and other Office apps, any disruption can break those workflows. As a result, affected software may be unable to open Office documents or launch Office applications even though the programs themselves continue to work normally. At the moment the company has not provided a permanent fix though it has confirmed that engineers are actively working on a resolution, which will be delivered through a future Windows update. As such additional details will be shared once more information becomes available. In the meantime, Microsoft recommends a simple workaround for affected users whic is to open the Office application or document directly rather than launching it through the third-party program. For enterprise customers and organizations managing larger deployments, Microsoft says an additional mitigation is available. Admins experiencing the problem on their managed devices are advised to contact Microsoft Support for business to obtain and apply the workaround.
    • Microsoft announces 12th-gen Surface Pro with Snapdragon X2 processors

      By cleverclogs · Posted

      It saddens me when cars are such dull colours now. Mine is bright metallic blue and I absolutely adore it for standing out in contrast to that depressing backdrop of traffic.
    • Sparkle 2.20.0

      By Copernic · Posted

      Sparkle 2.20.0 by Razvan Serea Sparkle is a free, open-source Windows optimization tool designed to make your PC faster, cleaner, and more private. With Sparkle, you can easily debloat Windows by removing unnecessary apps and services, disable Microsoft tracking to enhance privacy, and apply performance tweaks to boost speed. Its cleaner removes junk and temporary files, while every change is safe and fully reversible. Sparkle also features a modern, user-friendly interface with automatic updates, making system maintenance simple. Explore over 39 tweaks, from disabling telemetry and hibernation to optimizing network and game settings, all aimed at customizing and enhancing your Windows experience. Sparkle supports Windows 10 and 11. Sparkle 2.20.0 changelog: Debloat Tweak has animated border New homepage loading UI New Tweak Modal (Markdown Supported) Refactored GPU Detection Added Tests with vitest Added foobar2000 to apps Added Localsend to apps Updated Modal Styles Added styles for disabled inputs Added Animated Border to debloat-windows tweak Bumped dependencies Refactor System info logic for speed Tweak info modals now support Markdown Added Clear System info cache to settings Redesigned Home Page Loading UI Changed Some Icons around the app Download: Sparkle 2.20.0 | Portable | ~100.0 MB (Open Source) Links: Sparkle Website | Github | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • You pay just $100 per TB with this rare 4TB PCIe Gen4 NVMe SSD deal

      By hellowalkman · Posted

      lol it was a typo, fixed! haha imagine an actual 4TB Gen4 NVMe for $40 in 2026

  • Recent Achievements

    • Reacting Well
      Dys Topia earned a badge
      Reacting Well
    • Conversation Starter
      NovaEdgeX earned a badge
      Conversation Starter
    • One Year In
      Console General earned a badge
      One Year In
    • Week One Done
      Twozo Technologies earned a badge
      Week One Done
    • One Month Later
      Twozo Technologies earned a badge
      One Month Later

  • Popular Contributors

    1. 1
      +primortal
      517
    2. 2
      +Edouard
      184
    3. 3
      PsYcHoKiLLa
      106
    4. 4
      Steven P.
      88
    5. 5
      ATLien_0
      68
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!