in

eEye Digital Security

The endpoint to vulnerability starts here.

 
eEye Digital Security » Blink Forums » Troubleshooting » Tips and Tricks » Recommended Custom IPS Signatures

Recommended Custom IPS Signatures

Last post 09-26-2009 9:36 AM by Blue1978. 4 replies.
Page 1 of 1 (5 items)
Sort Posts: Previous Next

  • 02-05-2009 2:15 PM

    Recommended Custom IPS Signatures

    Reply Contact

    I have created this forum post for anyone that wishes to post any useful Intrustion Prevention Signatures that they may have added to Blink that might benefit others.

         Here is one rule I have created myself (that I add to periodically) that has the purpose of blocking my system from making any contact with particular domains that are known for tracking users and for delivering flash banners ads which lead to a lot of the malware deliering sites out there.

         Under the "Website Blocking" section of the IPS Signatures tab, I made a duplicate of the MySpace Web Request signature and then renamed it to "Additional Web Requests".  I then deleted Myspace.com out from under the Search Pattern section of the rule.  I then added in the followng terms:

    .doubleclick.

    .fastclick.

    .yieldmanager.

    .atdmt.

    .ad.

    .webtrends.

    .webtrendslive.

    .google-analytics.

    .googlesyndication.

    .quantserve.

    .2mdn.net


    - none of the boxes at the bottom (of each of these entries) were checked.

     

    (LAST UPDATED:  08OCT09)

  • 02-07-2009 1:02 PM In reply to

    Re: Recommended Custom IPS Signatures

    Reply Contact

     

    Thanks for the idea. I implemented it.

    I would like to stop all the bad stuff before it gets through firewall.

    Don't have any signatures I can contribute to this post at this time.

     

    Here are some things I am wondering about, and wishing to share for your perspective.

     

    I use a popular adblock list for Opera. It is also used on FireFox.

    It is available here:

    http://www.fanboy.co.nz/adblock/

    I wonder if somehow that list could be used to add to the BLINK Custom IPS Signatures?

    Currently my HOSTS file at 2699KB has 83,437 items listed. Is there a way to mine it for signatures?

     

    Also:

    LinkScanner Pro extends the capabilities of your firewall to ensure that the actual data passing through the firewall is checked for exploits and other security breaches.

    http://www.explabs.com/products/lspro.asp

     

    Is such a capability to block incoming exploits present with BLINK?  Does LinkScanner compliment BLINK or would it be redundant?

     

     

    Here is an interesting security issues blog by

    Roger Thompson

    AVG's Chief Research Officer

    http://thompson.blog.avg.com/

     

     

     

     

     

     

     

     

     

     

  • 02-08-2009 5:30 PM In reply to

    Re: Recommended Custom IPS Signatures

    Reply Contact

    topovan:
    LinkScanner Pro extends the capabilities of your firewall to ensure that the actual data passing through the firewall is checked for exploits and other security breaches.

    I think it is similar to Blink (but eEye would have to elaborate on that one).  My only question about the product is whether or not it is truly using "Protocol Analysis" like Blink is, OR is it using known signatures of known attacks that exist in a website to analyze traffic with.  I will probably ask their support and see what they say.

    As far as using LinkScanner Pro with Blink, I have tried them together and I can say it is not a pretty sight to see!  Your system will hang up a lot (when attempting to download things) and trying to surf the internet will be painfully slow.  If you try it you will clearly see that the two products conflict with eachother.

    If you have a HOSTS file already you probably do not need to add anything to Blink.  More less my idea was for folks that do not have the ability to use HOSTS files.

  • 02-13-2009 6:23 AM In reply to

    Re: Recommended Custom IPS Signatures

    Reply Contact

    topovan:

    LinkScanner Pro extends the capabilities of your firewall to ensure that the actual data passing through the firewall is checked for exploits and other security breaches.

    http://www.explabs.com/products/lspro.asp

     

    Is such a capability to block incoming exploits present with BLINK?  Does LinkScanner compliment BLINK or would it be redundant?

     

    I checked with the LinkScanner Pro folks.  This is what I asked them and I also provided their response:

    Question:

    What exact form of technology are you using in your product?  Are you using
    mostly a signature based form of attack prevention looking for specific
    behaviors that target applications?

    OR

    Does your product use some form of Protocol Analysis for analyzing
    traffic that passes through LinkScanner?

    Answer:

    "We use signatures and behavioral analysis of active web content.  The behavioral
    is mostly on scripts (action, vb, java, etc).  LinkScanner is now part of
    the AVG product suite which in addition to traditional AV/AS also includes a
    robust firewall and more advanced behavioral analysis of programs via our new
    Sana security module which will be released next month."

    See
    http://www.avg.com for more information.

    Regards,
    Greg

    ==================================================================

    So regardless, LinkScanner is not using the same detection techniques (via Protocol Analysis) that Blink is using.  I do wish eEye would add more scanning abilities dealing with VBScript, Java, and so forth into Blink.

  • 09-26-2009 9:36 AM In reply to

    Malicious Banner Ads

    Reply Contact

    Here is an article that supports reasons to block the domains I have listed above in my original post.

    http://itknowledgeexchange.techtarget.com/security-bytes/attackers-target-pdf-directshow-flaws-with-malicious-banner-ads/
Page 1 of 1 (5 items)
© 1995 - 2009 eEye Incorporated