hi Mayanak On Tue, Nov 4, 2008 at 12:07 PM, Bhatnagar, Mayank <[EMAIL PROTECTED]> wrote: > > Hi, > > Often we find while analyzing malwares or binaries, some malicious > domains become inactive after some period of time. > > They may be active during initial period of activity, malwares when > executed connecting to these domains, these domains then sending > malicious files....binaries etc.....but just as soon as this information > is being known or the behavior has been captured by IDS/IPS signatures > blocking this domain, soon the domain itself become inactive. > > What do you feel should be the responsibility of IDS/IPS solution > providers? I feel keeping track of such domains (live or down) in an > automated manner may be one possibility, keeping a signature for some > time as a measure of protection another. Also maintaining blacklists of > these domains may be helpful. this is how a blacklist is maintained and it is being done already. I dont know about the views of IPS/IDS vendors on maintaining a list as its more a marketing funda with added (additional) feature (along with full featured IPS/IDS). as far as a pure IPS/NIDS is concerned, its role is to prevent/detect any such malicious file. Its not an option for misused based IPS/NIDS, but a must have feature to keep signatures. another thing that i want to mention (keeping products/marketing a side), there is a diffence between IPS and ACLS of a (proxy) firewall. the later keeps a static ACL (e.g. block some IP or domain), whereas former is dynamic and blocks some IP/domain only when it detects something malicious from that. so blocking a domain statically (or permanently) is not, as such, a function of IPS. however, it can be done by maintaining a blacklist of URLs > > How should one handle such cases? Any ideas? > > Thanks & Regards, > Mayank > > "DISCLAIMER: > This message is proprietary to iPolicy Networks-Security Products division of > Tech Mahindra Limited and is intended solely for the use of the individuals > to whom it is addressed. It may contain privileged or confidential > information and should not be circulated or used for any purpose other than > for what is intended. If you have received this message in error, please > notify the originator immediately. If you are not the intended recipient, you > are notified that you are strictly prohibited from using, copying, altering, > or disclosing the contents of this message. iPolicy Networks-Security > Products division of Tech Mahindra Limited accepts no responsibility for loss > or damage arising from the use of the information transmitted by this email > including damage from virus." > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to > http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw > to learn more. > ------------------------------------------------------------------------ >
-- Computer Security Learner ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
