IDS Focus (focus-ids) Mailing List

Re: Host Based IDS

Mon, 01 Dec 2008 20:41:36 +0100

Posted by Stefano Zanero on Dec 01

Security Group wrote:
> Btw are their HIDS that can detect all-in-memory exploits (without the
> need of starting a process via the kernel)?

Not in the commercial world, but for sure in research:
http://portal.acm.org/citation.cfm?id=1368514

Best,
Stefano

...

Re: Host Based IDS

Mon, 1 Dec 2008 14:43:29 +0100

Posted by Security Group on Dec 1

Hi,

First of all many thanks for your replies and excuse me for my late response.

Your requests for clarification are justified. I will describe the situation:

We have Windows servers (60+) with custom server applications (self
developed software) which are in the DMZ.

There is already a...

Re: Email reputation for inout to IDSs?

Wed, 26 Nov 2008 11:53:12 -0700

Posted by Tremaine Lea on Nov 26

On 26-Nov-08, at 8:37 AM, Joel Snyder wrote:

> There are a few IPS/IDS solutions out there utilizing email reputation
> > as part of their solutions, and they primarily get their strength
> from a
> > centralized managed db on the part of the vendor supplying the
>...

Re: Email reputation for inout to IDSs?

Wed, 26 Nov 2008 22:52:01 +0530

Posted by Sanjay R on Nov 26

agreed that such an approach may be useful for Managers, specially
for Alert filtering. But i think the question was to use reputation to
decide the degree of scanning the traffic by an IDS => IDS will scan
the packets based on its reputation. I want to emphasis here that
there is...

Re: Email reputation for inout to IDSs?

Wed, 26 Nov 2008 22:37:19 +0530

Posted by Sanjay R on Nov 26

I saw TrustedSource and tried it with adsense filtered urls. Most of
the time, it classified them as neutral though these urls are known to
install spyware/malwares. now think of an IDS that scans packet based
on its reputation which is taken from TrustedSource and yo will have
many false...

RE: Email reputation for inout to IDSs?

Wed, 26 Nov 2008 11:00:27 -0500

Posted by Bourque Daniel on Nov 26

Look at TrustedSource

http://www.trustedsource.org/

-----Message d'origine-----
De : listbounce_at_securityfocus.com [mailto:listbounce_at_securityfocus.com] De la part de Tremaine Lea
Envoyé : 25 novembre 2008 20:32
À : Sanjay R
Cc : Gautam Singaraju;...

Re: Email reputation for inout to IDSs?

Wed, 26 Nov 2008 08:37:45 -0700

Posted by Joel Snyder on Nov 26

There are a few IPS/IDS solutions out there utilizing email reputation
> as part of their solutions, and they primarily get their strength from a
> centralized managed db on the part of the vendor supplying the solution.

I haven't seen this actually happening; do you have...

Re: Email reputation for inout to IDSs?

Wed, 26 Nov 2008 13:49:48 +0100

Posted by bart knippenberg on Nov 26

Why would you want to do this on an ids? Al lot of email gateways have
a similar funktion (Sender base reputation filtering). I believe it
should be perfomed by the email gateway and not the ids/ips system. If
you want to do this on your ips I believe it will be overloaded or has
to be sized...

Re: Email reputation for inout to IDSs?

Tue, 25 Nov 2008 18:32:15 -0700

Posted by Tremaine Lea on Nov 25

Hi Sanjay,

Conversely to your point, IP addresses/email addresses that have poor
reputations due to being a source of UCE/UBE go under heightened
scrutiny or may be blocked based on the implementers policy/preference
for other protocols.

There are a few IPS/IDS solutions out there utilizing...

Re: Email reputation for inout to IDSs?

Tue, 25 Nov 2008 21:09:54 +0530

Posted by Sanjay R on Nov 25

Hi Gautam:
My general feeling towards the reputation system is "It is not a
security mechanism" and it should be proven either by me or by someone
else in more formal words/way.
now let us take the scenario that you posed. each email has a
reputaion value associated with it...

Re: Email reputation for inout to IDSs?

Mon, 24 Nov 2008 13:44:39 -0500

Posted by Gautam Singaraju on Nov 24

Sanjay,

FYI: http://searchsecurity.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid14_gci1271716,00.html

--- Gautam On Mon, Nov 24, 2008 at 1:24 PM, Gautam Singaraju <gautam.singaraju_at_gmail.com> wrote: > Hi Sanjay, > > I have a hearsay that some commercial products...

Re: Email reputation for inout to IDSs?

Mon, 24 Nov 2008 13:24:28 -0500

Posted by Gautam Singaraju on Nov 24

Hi Sanjay,

I have a hearsay that some commercial products are in fact attempting
this. I understand that inputs from IDSs are being used to 'refine'
email reputation and vice-versa; though I have not seen any numbers
that attempt these.

The idea is that: IDSs can monitor connections from...

Re: Email reputation for inout to IDSs?

Mon, 24 Nov 2008 23:40:59 +0530

Posted by Sanjay R on Nov 24

Hi Gautam,
Can you please mention those references that have tried to incorporate
email reputation systems into an IDS? To me, it appears that this type
of solutions are more close to creating a "black-list" rather than
core functionality of IDS i.e detecting an attack (malicious
...

Email reputation for inout to IDSs?

Sat, 22 Nov 2008 20:21:45 -0500

Posted by Gautam Singaraju on Nov 22

All,

I have been working in email reputation system that has computed
sender reputations for over an year. I believe that there are couple
of efforts to incorporate email reputations into IDSs. Is someone in
the group working on this? Are there any IDSs which can be configured
to perform...

Re: tesis thopic : IDS using mobile agents... What do you think about it?

Tue, 18 Nov 2008 22:03:40 +0100

Posted by Stefano Zanero on Nov 18

Armin Garcia Lopez wrote:

> I really too surprised by the words that you use to say that this isnt a
> thesis topic at this stage...

No, it really isn't.

> Plaese let me know what do you think about this papers....

They are all papers related to very different topics, results of a...