snort has a add on program called hogwash that is an IDP. you can run snort in inline mode. however, i'm looking for an IDP that runs internally and can stop irc bots from executing on client pc's and creating outbound connections, flooding my network. i'm not sure if hogwash is a good solution for that. you'd have to run a linux box as a internal router/swtich essentially which after spending the $$ on dedicated cisco devices, seems kinda silly. esp. since it'd have to be an awfully $$ server to handle the load. Cisco Security Agent runs on pc's and servers and does just that but is pretty pricey. i thought perhaps a combination to GPO's and Symantec, this could be taken care of. is there a gpo adm file to prevent unauthorized services from running or only allow "good" ones that you specfiy as an admin to run? also, can someone point me to a good logon script or some other soultion to remove all domain local users fron their local admin group. this might help as well.
thanks -----Original Message----- From: Renouf, Phil [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 14, 2004 2:28 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: intrusion prevention Unless Snort has added some features it is just an Intrusion Detection System and does not offer Intrusion Prevention. Phil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sean Johnson Sent: Tuesday, December 14, 2004 1:30 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] OT: intrusion prevention Snort ( http://www.snort.org ) won't cost you anything other than the time to learn it, and really no matter what kind of IDS solution you use, there is a decent learning curve to overcome. On Mon, 13 Dec 2004 18:05:50 -0500, Kern, Tom <[EMAIL PROTECTED]> wrote: > my company is looking at getting cisco security agent for intrusion prevention. Personally, at $60,000, I think its a bit much. > does anyone have any cheap intrusion prevention software they use out there? or can you lockdown your desktops enough via GPO's and good AV? > > we get alot of bots lately on our network. these bots infect fully patched boxes and start making outbound requests on ports 445 and 6667 flooding our network to a crawl and sometimes even DOSing our firewall. > as i've said, they even infect patched pc's with fully updated AV defs(Symantec corporate 9.0). > the attraction to cisco is that(according to cisco marketing..), an client agent is installed which will stop the action of any unauthorized app or service from running and alert an admin. > still, i think there's got to be a cheaper way to stop this stuff. > any ideas(or personal experience with cisco agent)? > thanks > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
