in

eEye Digital Security

The endpoint to vulnerability starts here.

 
eEye Digital Security » Blink Forums » Troubleshooting » Tips and Tricks » Recommended Custom IPS Signatures

Recommended Custom IPS Signatures

Last post 12-22-2009 7:23 PM by Blue1978. 2 replies.
Page 1 of 1 (3 items)
Sort Posts: Previous Next

  • 02-05-2009 2:15 PM

    Recommended Custom IPS Signatures

    Reply Contact

    I have created this forum post for anyone that wishes to post any useful Intrustion Prevention Signatures that they may have added to Blink that might benefit others.

         Here is one rule I have created myself (that I add to periodically) that has the purpose of blocking my system from making any contact with particular domains that are known for tracking users and for delivering flash banners ads which lead to a lot of the malware deliering sites out there.

         Under the "Website Blocking" section of the IPS Signatures tab, I made a duplicate of the MySpace Web Request signature and then renamed it to "Additional Web Requests".  I then deleted Myspace.com out from under the Search Pattern section of the rule.  I then added in the followng terms:

    .doubleclick.

    .fastclick.

    .yieldmanager.

    .atdmt.

    .ad.

    .webtrends.

    .webtrendslive.

    .google-analytics.

    .googlesyndication.

    .quantserve.

    .2mdn.net


    - none of the boxes at the bottom (of each of these entries) were checked.

  • 02-07-2009 1:02 PM In reply to

    Re: Recommended Custom IPS Signatures

    Reply Contact

     

    Thanks for the idea. I implemented it.

    I would like to stop all the bad stuff before it gets through firewall.

    Don't have any signatures I can contribute to this post at this time.

     

    Here are some things I am wondering about, and wishing to share for your perspective.

     

    I use a popular adblock list for Opera. It is also used on FireFox.

    It is available here:

    http://www.fanboy.co.nz/adblock/

    I wonder if somehow that list could be used to add to the BLINK Custom IPS Signatures?

    Currently my HOSTS file at 2699KB has 83,437 items listed. Is there a way to mine it for signatures?

     

    Also:

    LinkScanner Pro extends the capabilities of your firewall to ensure that the actual data passing through the firewall is checked for exploits and other security breaches.

    http://www.explabs.com/products/lspro.asp

     

    Is such a capability to block incoming exploits present with BLINK?  Does LinkScanner compliment BLINK or would it be redundant?

     

     

    Here is an interesting security issues blog by

    Roger Thompson

    AVG's Chief Research Officer

    http://thompson.blog.avg.com/

     

     

     

     

     

     

     

     

     

     

  • 12-22-2009 7:23 PM In reply to

    Re: Recommended Custom IPS Signatures

    Reply Contact

    More domains you may want to add to the custom IPS rule (see original post):

    .318x.com

    .318x.net

    .708.net

    .z360.net

    .7766.org
Page 1 of 1 (3 items)
© 1995 - 2009 eEye Incorporated