What are some security softwares that provide IPS/IDS malware detection?

By wendy oltman
in Smart Home, Network & Security

 Share

Recommended Posts

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

you do understand that both wannacry and petyas are just exploits to something the user did not patch and most likely should not have been running for years anyway.  SMBv1 should of been disabled on your machines years ago ;)  Especially from a security point of view.

 

What you should take away from such things is, keep your stuff up to date with security patches.  Do not run old protocols that you do not actually need/use..  And make sure you have valid and current backup plan ;)

 

edit: From a IDS/IPS point of view that would run at your edge or at your core router in your network, not really on the host..  There are HIDS, or Host intrusion Detection Systems.  The two opensource or free versions that I am aware of are OSSEC and Tripwire had/has an opensource version and there is AIDE as well..

 

https://ossec.github.io/

 

Is the only one that I know of that would run on windows would be ossec, but then only as an agent.  You could also run and agent on alienvaults OSSIM, but this is more really a SIEM and also has a windows agent.  A SIEM would be part of any actual network..  But your not really going to find many deployed in a typical home setup ;)  While I run one - my home network is not in any way or form "typical" hehehe

 

For your typical home users yeah your best sort of solution would be something like malwarebytes.. But I would not really classify that as any sort of IDS or HIDS even..

 

If you ran say a router/firewall distro like pfsense, or ipcop or smoothwall, etc.. Then they have IDS/IPS that run on them snort and suricata.  Keep in mind that running such systems have a huge learning curve and if not correctly setup and maintain will either flood you with false positive (noise) or can pretty much break your network from being to do the stuff you want to do ;)

 

 

  • goretsky, wendy oltman, Mindovermaster and 1 other
  • Like 4
Grand Master

Circaflex

Posted
Posted (edited)
9 hours ago, Mindovermaster said:

Otherwise, use Linux! :laugh:

Just last month, there were reports or Erebus resurfacing as a Linux variant of ransomware. Every OS has their flaws, it is a matter of staying up to date and doing your due diligence as the user. Just because you're using linux, doesn't make you impenetrable. Ever heard of Linux.Encoder.1?

Grand Master

Mindovermaster Global Moderator

Posted
  • Global Moderator
Posted
40 minutes ago, Circaflex said:

Just last month, there were reports or Erebus resurfacing as a Linux variant of ransomware. Every OS has their flaws, it is a matter of staying up to date and doing your due diligence as the user. Just because you're using linux, doesn't make you impenetrable. Ever heard of Linux.Encoder.1?

That was a joke, if you didn't notice. Every OS is vulnerable. I wasn't boasting...

  • wendy oltman
  • Like 1
Grand Master

goretsky Supervisor

Posted
  • Supervisor
Posted

Hello,


Malware-based (or derived) intrusion detection/prevention has been a basic feature of most security suites for years.  The name of the feature set(s) which provide it vary between vendors, but pretty much every vendor out there has some kind of security layer which does this.

 

Regards,

 

Aryeh Goretsky

 

  • wendy oltman
  • Like 1
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

What the security suites need to do is stop the user from doing what they want and force them to PATCH Their systems ;)

 

Sorry that is enough p0rn for you now - time to reboot to patch!

  • Mando and goretsky
  • Like 2
Grand Master

goretsky Supervisor

Posted
  • Supervisor
Posted

Hello,

 

The anti-malware software that I use warns me when one of my systems is missing Windows updates.  I suspect it isn't unique in this, though I don't know how common a feature it is.

Regards,

Aryeh Goretsky

 

 

20 hours ago, BudMan said:

What the security suites need to do is stop the user from doing what they want and force them to PATCH Their systems ;)

 

Sorry that is enough p0rn for you now - time to reboot to patch!

 

Rising Star

wendy oltman

Posted
  • Author
Posted
On 7/17/2017 at 8:33 PM, BudMan said:

you do understand that both wannacry and petyas are just exploits to something the user did not patch and most likely should not have been running for years anyway.  SMBv1 should of been disabled on your machines years ago ;)  Especially from a security point of view.

 

What you should take away from such things is, keep your stuff up to date with security patches.  Do not run old protocols that you do not actually need/use..  And make sure you have valid and current backup plan ;)

 

edit: From a IDS/IPS point of view that would run at your edge or at your core router in your network, not really on the host..  There are HIDS, or Host intrusion Detection Systems.  The two opensource or free versions that I am aware of are OSSEC and Tripwire had/has an opensource version and there is AIDE as well..

 

https://ossec.github.io/

 

Is the only one that I know of that would run on windows would be ossec, but then only as an agent.  You could also run and agent on alienvaults OSSIM, but this is more really a SIEM and also has a windows agent.  A SIEM would be part of any actual network..  But your not really going to find many deployed in a typical home setup ;)  While I run one - my home network is not in any way or form "typical" hehehe

 

For your typical home users yeah your best sort of solution would be something like malwarebytes.. But I would not really classify that as any sort of IDS or HIDS even..

 

If you ran say a router/firewall distro like pfsense, or ipcop or smoothwall, etc.. Then they have IDS/IPS that run on them snort and suricata.  Keep in mind that running such systems have a huge learning curve and if not correctly setup and maintain will either flood you with false positive (noise) or can pretty much break your network from being to do the stuff you want to do ;)

 

 

Now this was helpful. And yes I also agree that patching mostly does the purpose but I also think that a normal not so techy user must have a system installed that alerts any malware detection since they are becoming so much common. 

Veteran

nabz0r Veteran

Posted
  • Veteran
Posted
On 2017-07-17 at 5:33 PM, BudMan said:

If you ran say a router/firewall distro like pfsense, or ipcop or smoothwall, etc.. Then they have IDS/IPS that run on them snort and suricata.  Keep in mind that running such systems have a huge learning curve and if not correctly setup and maintain will either flood you with false positive (noise) or can pretty much break your network from being to do the stuff you want to do ;)

+1.

I am in the middle of planning to replace my ASA5505 to a pfSense, as this little ASA doesn't have Gig ports, though I haven't found the suitable Mini PC yet. (don't wannt spend too much on it)

Veteran

nabz0r Veteran

Posted
  • Veteran
Posted
4 minutes ago, BudMan said:

What is your budget?

Don't want to hijack this thread but if you meant my budget, I am thinking between 100/150$. I want one of those little mini-itx fanless box with at least 2 gig ports.

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

Well for $149 you could buy the sg-1000, official box from pfsense, that has 2 gig nics ;)   If your thinking of running pfsense anyway would be good option.

 

https://www.netgate.com/products/sg-1000.html

Veteran

nabz0r Veteran

Posted
  • Veteran
Posted

I have heard it's laggy and if I remember correct it doesn't support traffic shaping, not that I will do traffic shaping, but I like to have that option for learning purposes. ;)

  • wendy oltman
  • Like 1
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

They resolved that a while ago I do believe, in the 2.4 beta's  Had to do with the drivers not supporting altq

https://redmine.pfsense.org/issues/7199

 

but you could of worked around it with vlans..

Grand Master

Mando

Posted
Posted (edited)
On 7/19/2017 at 3:32 PM, wendy oltman said:

Now this was helpful. And yes I also agree that patching mostly does the purpose but I also think that a normal not so techy user must have a system installed that alerts any malware detection since they are becoming so much common. 

now if only windows forced security patches....... :) combined with something along the lines of Sophos home AV/UTM 

https://home.sophos.com/ 

 

its free for home use.

 

i use my isps ability to filter websites also at the ISP level to sites that are deemed "risky" combined with Webroot Secure anywhere personally. As well as running each users account as a limited user and UAC when and if i need elevated privs.

I kept wannacrypt etc outside of work and at home by 1) patching regularly 2) disabling SMb 1.0 and 3) end user UTM. 4) up to date AV from a good vendor. 5) denying anyone (especially other IT staff) running as adm 24/7.

 

item 5 was the hardest to  implement at work, someone who should know better, but doesn't, same mindset as dont patch Ms stuff, they just break things..../faceplant. Wannacrypt demonstrated how wrong they were.

Edited by Mando
  • wendy oltman
  • Like 1
Rising Star

wendy oltman

Posted
  • Author
Posted

 

On 7/25/2017 at 1:52 AM, BudMan said:

They resolved that a while ago I do believe, in the 2.4 beta's  Had to do with the drivers not supporting altq

https://redmine.pfsense.org/issues/7199

 

but you could of worked around it with vlans..

Have you been using it? 

On 7/25/2017 at 2:12 AM, Mando said:

5) denying anyone (especially other IT staff) running as adm 24/7.

What impact does this make? 

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

I have been using the 2.4 beta's for quite some time at home update to current snap every few days, week at the most.  I have no need for any traffic shaping on my network.. So no I have not played with it in 2.4 beta's... I don't have a sg-1000 to play with I run my pfsense at home VM.  I could play with a sg-2440 at work, we are planning on replacing all our old juniper firewall/routers in branch locations here in the US with those..  First 1 has been running in NY office for a while.. Been rock solid, but it has no need for traffic shaping either they have a pretty fat pipe for what its used for and have never seen any issues or need for traffic shaping..  The old juniper couldn't even do 100mbps - now with the pfsense actually getting what we are paying for on that pipe, over even testing we did was over 300mbps.

 

If your not saturating your pipe - traffic shaping can be pointless.  And just cause you slowness and pain when there is no call for it.. If the pipe was new capacity and it carried traffic that needed to be prioritized then ok.  But that is not the case for these connections.

 

What impact does not running admin on your box for doing day to day?  This can be HUGE protection.. You should not be using god account for your day to day stuff.  Say your account is domain admin, which your logged into your machine with... While sure it makes it easy to access pretty much anything at any time.  If you get hit, whatever hit you now can hit anything on your network as god.. Not a good thing ;)  Shoot for that matter a simple mistake on your part and there goes all the user files on a share because you hit the wrong key ;)

 

Min security needed to perform the function is security 101, using your root/god account when your not in god mode is bad idea from any way you look at it..

  • Mando and wendy oltman
  • Like 2
Grand Master

Mando

Posted
Posted
2 hours ago, wendy oltman said:

 

What impact does this make? 

Wannacrypt and most ransomware requires admin rights to encrypt systemwide, running as limited users minimises the amount of files it can encrypt, if it gets past other layers of protection, its also good security practise never to run with elevated privs day to day, When elevated rights are required, right click run as and enter an admin accounts creds.

 

 in the enterprise it could mean the difference between a minimal number of encrypted files and system wide domain encryption, if the multtiered, multivendor protection is compromised.

  • wendy oltman
  • Like 1
This topic is now closed to further replies.
 Share
Go to topic listing

  • Posts

    • Microsoft explains why PowerToys 0.100.0 is faster and slimmer, there are new features too

      By matthiew · Posted

      I just looked on my computer and there are settings and log files for utilities I have never even turned on!
    • O&O ShutUp10 3.1.1104

      By Copernic · Posted

      O&O ShutUp10 3.1.1104 by Razvan Serea O&O ShutUp10 offers a simple yet effective way to take control of your Windows privacy. It provides access to almost 50 privacy-related tweaks, most of them hidden or not easily accessible to the average computer users. Using a very simple interface, you decide how Windows 10/11 should respect your privacy by deciding which unwanted functions should be deactivated. Using ShutUp10 you can easily disable Windows Defender, turn off telemetry, disable peer-to-peer updates, turn off Wi-Fi Sense, disable automatic Windows updates, turn off and reset Cortana and more. ShutUp10 allows you to create a System Restore point before you apply any changes, so that you can revert your system at any time if you run into problems. O&O ShutUp10 is entirely free and does not have to be installed – it can be simply run directly and immediately on your PC. And it will not install or download retrospectively unwanted or unnecessary software, like so many other programs do these days! O&O ShutUp10 Free and Premium The latest version brings O&O ShutUp10 Premium, expanding the app’s long-standing privacy controls with automatic enforcement of user-defined settings. Instead of manually rechecking options after every Windows update, users can set their preferred privacy configuration once—or apply recommended settings in a single click—and the tool continuously monitors them in the background. If Windows 10 or 11 re-enables disabled features or introduces new data collection paths, Premium restores the chosen settings automatically without user intervention. The free version remains available and fully functional for manual adjustments, offering the same core privacy controls for Windows. However, the Premium tier is aimed at users who want long-term, hands-off protection, adding automatic reapplication after updates, ongoing monitoring, and optional notifications to ensure privacy settings remain consistent over time. O&O ShutUp10 3.1.1104 changelog: Added “Show Differences” button in the overview panel “Don’t show again” option for the restore point prompt Ctrl+F keyboard shortcut for search/filter functionality Detection and linking of system-wide and user-specific setting associations Automatic search while typing PREM: Option to preserve notification counters and timestamps across application restarts PREM: Reset blocked settings button in the Settings dialog PREM: Informational message when no settings are blocked PREM: Update check can also be triggered from the menu PREM: Notification deduplication and activity log summary feature Improved L005 “Disable Windows Location Service”: Version-specific split (up to Windows 11 23H2) and new variant for Windows 11 24H2+ L001 (Disable Location): Added Night Light warning to the description in all languages Search now detects setting IDs even when ID display is disabled and offers to enable it Detection and removal of Copilot/AI desktop apps in RecallTerminator Optimized High DPI support PREM: Reset button is now only enabled when blocked items exist – setting IDs are shown in the confirmation dialog PREM: Updated tray icons with higher-resolution versions PREM: Activity Log timestamps now use localized date and time formats PREM: Tray icon status now uses OK/Warning indicators and localized tooltips PREM: Recall folder detection switched to service-based detection PREM: Copilot uninstallation now provides UI feedback and improved verification Fixed Description text was not displayed correctly for the last item and disappeared when clicking the scrollbar Crash when clicking a search result heading or the […] button PREM: Installation path is now correctly preserved during upgrades PREM: Tray icon was not reliably removed when exiting the application PREM: Main window was not displayed correctly in single-instance mode PREM: Incorrect display of the & symbol in tray icon tooltips on Windows 10 PREM: Fixed notification flooding after sleep/standby PREM: Dashboard was not refreshed after applying recommended settings during onboarding PREM: Progress bar was not reset after deleting Recall folders PREM: Fixed service startup failures PREM: Fixed incorrect drift detection when Automatic Protection was disabled PREM: Notifications now correctly count all deviating settings when protection is enabled PREM: Registration Wizard was shown after sleep/standby despite a valid license Download: O&O ShutUp10 3.1.1104 | 76.4 MB (Freeware) Download: O&O ShutUp10 32-bit | ARM64 View: O&O ShutUp10 Home Page | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • New Site Moderation

      By +Edouard · Posted

      Fascinating...W h i t e P o w e r is now also asterisks out.  
    • New Site Moderation

      By +Edouard · Posted

      In the past few days I have noticed two odd moderation activities. First, when I posted the term 'White Nationist Christian' it was asterisk's out. When I changed it to **** it was allowed! Second, in the Politics is a ###business thread I was allowed to post that the GOP is a party of p e d ophiles but I was censored  when I posted the GOP are a party of p e d ophile protectors. Wtf Neowin. Please explain.
    • Latest Rufus update improves new Windows 11 install method

      By WITHOUT-ME · Posted

      send him paypal

  • Recent Achievements

    • One Month Later
      Vincian earned a badge
      One Month Later
    • First Post
      Jocimo earned a badge
      First Post
    • Week One Done
      suprememobiles48 earned a badge
      Week One Done
    • One Month Later
      Windows Guy earned a badge
      One Month Later
    • One Month Later
      Prasann earned a badge
      One Month Later

  • Popular Contributors

    1. 1
      +primortal
      546
    2. 2
      +Edouard
      165
    3. 3
      PsYcHoKiLLa
      86
    4. 4
      Steven P.
      66
    5. 5
      ATLien_0
      64
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!