Re: Malware detection with Snort

[Salvo <ilasa01 () linux rokeby com>]

You will likely receive other and better answers. There are several
approaches for the same problem.

In term of forensic investigation, unless you have a commercial software
which can assist in the identification of the malware, I would focus in
your FW or adding a FW in the suspicious subnet. You need to identify
the outbound traffic and from where the attack comes from. In fact,
reading your e-mail, I am under the impression that you are not sure
about it. Some FW have good analytic but if that is not your case, then
you need help from a SIEM package which triggers an alert when the
malware kicks-off. Snort can also help with the outbound traffic, but
you need to identify which computer or sub-net is affected if you have a
large IT security environment with thousands of computers and tens of
sub-nets. If your SMTP server is UNIX and listening at port 25, you can
also use the access list and relay-domains, but it may cause some
inconvenient with your users and the way how the e-mails are handled,
when you start filtering.

Salvatore ILardo

On 11/25/2013 05:50 PM, Daniel Calvo Castro wrote:
> Hi list,
>
> I´m new to network forensics and I´m wondering what would be the best
> approach in order to detect a possible malware which is attacking a
> famous online site from inside my organization on port 25 as far as I
> know, that is what I thought in first instance:
>
>  - Take Core? switch,configure port mirroring and start sniffing with
> snort, filtering by ip address of the online site being attacked and
> store the bunch of data for further analysis and reporting.
>
> Is there some further measures / resources / tools / open source
> projects or experience that would help me to detect the compromised
> system? Im reading Malware Analysis Cookbook and getting some cool ideas.
>
> Any help would be appreciated
>
> Thanks in advance!
>
>
>
>
>
> ------------------------------------------------------------------------------
> Shape the Mobile Experience: Free Subscription
> Software experts and developers: Be at the forefront of tech innovation.
> Intel(R) Software Adrenaline delivers strategic insight and game-changing 
> conversations that shape the rapidly evolving mobile landscape. Sign up now. 
> http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!