Free intrusion detection?
Posted: Thu Mar 18, 2004 1:39 am
I've been pointed towards AVG enough times to believe it is probably a pretty good free antivirus program. I may install it after I get my P4 system assembled, because what else am I going to do with my Hyperthreading? (Answer: run SETI@home in the background 24/7.) However, I think the idea of virus scanners are, at best, a break even deal, and probably a losing proposition.
Traditionally, as far as I know, virus scanners have virus definition files that contain some signature for every virus the scanner knows about. The scanner searches incoming files and tries to match against these signatures. If it finds one, it has some rule for that virus to try to clean it. You must continually update your virus definition files in order to have protection against the latest viruses. This is a maintenance hassle. But if one of these fast-spreading worms, for instance, hits you, you will have no protection because the virus scanner knows nothing about this. The time from bug to exploit is ever-decreasing and a traditional virus scanner cannot help. In fact, they tend to give a lot of people a false sense of security in my experience.
Intrusion detection is a kind of program I have read about recently. The idea is you look for virus-y types of behaviors and lock shit down and notify users when you see something wrong. I think this is a much better sort of idea, though all the references to this type of software I have seen are for enterprise-level systems, not for home use. Zone Alarm has some limited capabilities along these lines. If a program you haven't authorized to connect to the net tries to send data down the pipe, Zone Alarm catches that and lets you know what the deal is.
Does anyone know anything about this kind of software? I'm looking for basically anything that's free: open source, shareware, Win32, Linux, doesn't matter. I'm just not going to pay for it, is all.
While we're on the topic, what do you do at home to guard your system? I currently have a hardware firewall and practice common sense--I don't run executables from untrusted sources. I don't currently use a software firewall or run a virus scanner. I run an SSH server that's globally visible but I don't remotely log in as root. I don't keep up-to-date with patches, either with Linux or Windows. I worry occasionally about the Linux box, but I figure as long as there aren't any SSH security exploits (ha!) I should be okay since the rest of the box is behind the firewall.
In the semi-far future, I'd like to see OS virtualization used for security purposes. That is, I BT the latest version of Photoshop or whatever and install it on a virtual disk image that's been carefully sandboxed. I use it some and then my intrusion detection software lets me know it's carrying Bagle.748, so I delete that virtual OS and carry on my merry way. We'll see.
Traditionally, as far as I know, virus scanners have virus definition files that contain some signature for every virus the scanner knows about. The scanner searches incoming files and tries to match against these signatures. If it finds one, it has some rule for that virus to try to clean it. You must continually update your virus definition files in order to have protection against the latest viruses. This is a maintenance hassle. But if one of these fast-spreading worms, for instance, hits you, you will have no protection because the virus scanner knows nothing about this. The time from bug to exploit is ever-decreasing and a traditional virus scanner cannot help. In fact, they tend to give a lot of people a false sense of security in my experience.
Intrusion detection is a kind of program I have read about recently. The idea is you look for virus-y types of behaviors and lock shit down and notify users when you see something wrong. I think this is a much better sort of idea, though all the references to this type of software I have seen are for enterprise-level systems, not for home use. Zone Alarm has some limited capabilities along these lines. If a program you haven't authorized to connect to the net tries to send data down the pipe, Zone Alarm catches that and lets you know what the deal is.
Does anyone know anything about this kind of software? I'm looking for basically anything that's free: open source, shareware, Win32, Linux, doesn't matter. I'm just not going to pay for it, is all.
While we're on the topic, what do you do at home to guard your system? I currently have a hardware firewall and practice common sense--I don't run executables from untrusted sources. I don't currently use a software firewall or run a virus scanner. I run an SSH server that's globally visible but I don't remotely log in as root. I don't keep up-to-date with patches, either with Linux or Windows. I worry occasionally about the Linux box, but I figure as long as there aren't any SSH security exploits (ha!) I should be okay since the rest of the box is behind the firewall.
In the semi-far future, I'd like to see OS virtualization used for security purposes. That is, I BT the latest version of Photoshop or whatever and install it on a virtual disk image that's been carefully sandboxed. I use it some and then my intrusion detection software lets me know it's carrying Bagle.748, so I delete that virtual OS and carry on my merry way. We'll see.