[unisog] Intrusion Prevention - done

kamal hilmi othman kamalho at pd.jaring.my
Tue Jan 21 00:24:20 GMT 2003


Thanks for all the response.
I have worked it out using Hogwash and it works well on FreeBSD - thanks
guy :) 
I need IPS (Intrusion Prevention System) because it is due to NIMDA
(cmd.exe and root.exe) that goes to non Windows server - attacking my
Apache server. 
Therefore by applying it out I have managed to cut down malicious
traffic with cmd.exe and root.exe (even a kiddie that trying to attack
my Apache web server with cmd.exe and root.exe vulnerability - duh!) 
Traffic that arrived at my web server is clean :) from NIMDA.
In fact I turn it around and block known attack from inside to outside:)




Valdis.Kletnieks at vt.edu wrote:
> 
> On Fri, 10 Jan 2003 10:20:10 +1300, Russell Fulton said:
> 
> > I agree with Gary the only sure way to find out what works it to try
> > them out.  That said we see such a high rate of false +ves from our IDS
> > (even after disabling many rules) that I would feel very nervous about
> > acting on anything it produces without a good deal of post processing
> > (either automatic or human).
> > I certainly would not want to do anything on the basis of a single
> > detect unless the signature was pretty well foolproof and in my
> > experience most aren't.
> 
> My personal favorite is watching all the IDS's and/or virus detectors
> go off whenever somebody posts to Unisog or Incidents or similar lists
> about an attack of Nimda/CodeRed/Slapper/whatever - and includes logs. ;)
> 
> --
>                                 Valdis Kletnieks
>                                 Computer Systems Senior Engineer
>                                 Virginia Tech
> 
>   ------------------------------------------------------------------------
>    Part 1.2Type: application/pgp-signature



More information about the unisog mailing list