IDS mailing list archives
Re: Malicous Domains and IDS/IPS signatures
From: "Sanjay R" <2sanjayr () gmail com>
Date: Sat, 8 Nov 2008 20:30:36 +0530
hi Mayanak On Tue, Nov 4, 2008 at 12:07 PM, Bhatnagar, Mayank <mbhatnagar () ipolicynetworks com> wrote:
Hi, Often we find while analyzing malwares or binaries, some malicious domains become inactive after some period of time. They may be active during initial period of activity, malwares when executed connecting to these domains, these domains then sending malicious files....binaries etc.....but just as soon as this information is being known or the behavior has been captured by IDS/IPS signatures blocking this domain, soon the domain itself become inactive. What do you feel should be the responsibility of IDS/IPS solution providers? I feel keeping track of such domains (live or down) in an automated manner may be one possibility, keeping a signature for some time as a measure of protection another. Also maintaining blacklists of these domains may be helpful.
this is how a blacklist is maintained and it is being done already. I dont know about the views of IPS/IDS vendors on maintaining a list as its more a marketing funda with added (additional) feature (along with full featured IPS/IDS). as far as a pure IPS/NIDS is concerned, its role is to prevent/detect any such malicious file. Its not an option for misused based IPS/NIDS, but a must have feature to keep signatures. another thing that i want to mention (keeping products/marketing a side), there is a diffence between IPS and ACLS of a (proxy) firewall. the later keeps a static ACL (e.g. block some IP or domain), whereas former is dynamic and blocks some IP/domain only when it detects something malicious from that. so blocking a domain statically (or permanently) is not, as such, a function of IPS. however, it can be done by maintaining a blacklist of URLs
How should one handle such cases? Any ideas? Thanks & Regards, Mayank "DISCLAIMER: This message is proprietary to iPolicy Networks-Security Products division of Tech Mahindra Limited and is intended solely for the use of the individuals to whom it is addressed. It may contain privileged or confidential information and should not be circulated or used for any purpose other than for what is intended. If you have received this message in error, please notify the originator immediately. If you are not the intended recipient, you are notified that you are strictly prohibited from using, copying, altering, or disclosing the contents of this message. iPolicy Networks-Security Products division of Tech Mahindra Limited accepts no responsibility for loss or damage arising from the use of the information transmitted by this email including damage from virus." ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
-- Computer Security Learner ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Malicous Domains and IDS/IPS signatures Bhatnagar, Mayank (Nov 07)
- [Suspected Spam]Re: Malicous Domains and IDS/IPS signatures Rishi Narang (Nov 09)
- Re: Malicous Domains and IDS/IPS signatures Sanjay R (Nov 09)