RE: IDS and Spywares

["Omar A. Herrera" <omar.herrera () oissg org>]

> -----Original Message-----
> From: vipul kumra [mailto:vikumar2 () yahoo com]
>
> Hi Dhruv,
>
> I agree with what you have said... but then there is
> no 100% fool proof method for detecting anything. As
> far as I've seen iPolicy Networks IDS protection is
> quite strong... :)

Why use a hammer with a screw? Network based detection is able to deal
pretty well with known network threats, but some sort of malware (including
some Trojans and spyware) are customized or modified and used with specific
targets. You won't detect those with generic signatures or network based
anomaly behavior.

hIDS/hIPS ar much more effective in detecting and preventing these attacks.
If there is any anomalous activity to be detected or any forbidden action to
be blocked, it will be host based, not network based. To start, there is a
considerable number of ways that these threats can travel through the
network (e.g. web scripts, P2P messaging, email attachments, trojanized
downloaded software)and they might not even used the network to get to their
target (Sharing of USB memory sticks, CDs, DVDs,...) 

Personally I doubt that it is even worth trying to catch this kind of
malware with a network based IDS or IPS. I would rather use the time for
polishing hIPS/personal firewall policies.

I think this is what Dhruv meant.

Regards,

Omar Herrera


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------