Ambush HIPS: A Behavior-Based Host Intrusion Prevention System!

[Wubi]

As attacks keep improving, we need to improve our protection methods too. Helping us improve is Ambush HIPS, a new and dramatically more flexible host intrusion prevention system able to act on virtually any behavior.

Ambush is an open source, behavior-based host intrusion prevention system (HIPS), that monitors virtually everything a process does on a Windows operating system. It can monitor those functions; it can see how malware acts no matter what it does, and it can tell when your processes do things differently from normal programs, even if the result is the same.

The Ambush HIPS works in a client server architecture. The client has to be run on a Windows machine (32-bit and 64-bit) and the server can be run on a *NIX system, that uses a bitnami rubystack appliance, that can also be run on a Windows machine with the VM Player. On *NIX machines it would need the Ruby 1.9 or JRuby-1.6.5.1 along with openssl.

Ambush works with the following understanding that to see your files, execute commands, maintain control of your system, hide, steal information, or do anything else, attackers’ code needs to call Windows functions. So to avoid your antivirus or intrusion detection systems, attackers change the packing or obfuscation to change how the malware looks, but it calls the same functions to do the same things.

Ambush can monitor those functions; it can see how malware acts no matter what it does, and it can tell when your processes do things differently from normal programs, even if the result is the same.

Ambush HIPS also forward alerts to an alert aggregator/event correlator, like Splunk or Arcsight. Since this project is currently under development and testing, lot many features will be added/fixed. It needs your help with all of that! Please do submit your bug reports/feature additions to the Ambush Bugtracker located here.

Download Ambush HIPS here.

Sursa: PenTestIT — Your source for Information Security Related information!