Ambush IPS, an HIPS for the paranoids

Discussion in 'other anti-malware software' started by kareldjag, Feb 17, 2013.

Thread Status:
Not open for further replies.
  1. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    I have taken a look at this project one or two month ago, and was wondering about the real need of such monitoring system.
    Home page http://ambuships.com/ Detail http://ambuships.com/details.html
    Devs blog http://www.scriptjunkie.us/2012/10/hoarder-hips-bypasses-and-ambush/

    Efforts of Scriptjunkie are appreciated for the developpement of an HIPS that can dtect malware behavior but also attacks via shellcodes frameworks like Metasploit.
    On the other hand, the history of HIPS market has shown that system expert HIPS (SSM, Comodo, Online Solutions and co) are only devoted to a very small niche market that targets the 5% (?) of experts users.
    More over, the evolution of most security softwares (AV suites, firewall, HIPS) tend to restrict users interaction, and by default to provide a kind of install it and forget it, silent and automated security.

    Then using an HIPS like Win/HollyDbg, monitoring everything, checking thousands of log alerts lines could become nightmare for every day use.
    I have already give such opinion on the Linux area
    https://www.wilderssecurity.com/showthread.php?t=341800

    When security tends to be an obsession, when learning about Insecurity increases paranoia, then we could legitimately consider the need of a computer: is it used for real desktop need (music, video, chats etc) or for a cyberwar against hypothetical malwares and hackers?

    I guess that its client/server deployment and the solid background required to check the alerts will not help Ambush to become very popular.
    Anyway, bravo for its devs. efforts and motivation.

    rgds
     
  2. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe
    I don't understand - sorry, but I didn't wacht the video - does it work also as a classical HIPS, or his work it's entirely BB based ?
     
  3. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    interesting reading:thumb: it sounds like a silent hips;)
     
  4. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe
    It's my doubt: I like better classical HIPSs.
     
  5. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    same here i am a control freak :)
     
  6. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    As i have said, it is a client/server side IPS (in this case, the Host is the client side), and its installation is more similar to OSSEC IDS for instance than standalone HIPS like Malware Defender or DefenseWall...

    There is a good install summarry here
    http://www.sysforensics.org/2012/08/ambush-ips-part-i-install.html
    And on the devs repo
    https://github.com/scriptjunkie/Ambush/blob/master/HOWTO_setup_clients.txt
    https://github.com/scriptjunkie/Ambush/blob/master/HOWTO_setup_server.txt
    A set of basic signatures can be found here
    https://github.com/scriptjunkie/Ambush/blob/master/exampleSignatureSet.yml
    It is up to anyone to add his own signature, but it could be a fastidious task to list all possible malwares behaviour (task done by BusterBSA since years...).

    As it is mostly API hook based monitoring system, it is possible to get similar results for a special system target with Hook Analyser for instance
    http://hookanalyser.blogspot.fr/

    And i understand that most users here are more tempted by more popular and classical HIPS...
    Sorry for the typo mistakes on my first post :)

    Rgds
     
Loading...
Thread Status:
Not open for further replies.