Snort mailing list archives
Re: Malware detection with Snort
From: Salvo <ilasa01 () linux rokeby com>
Date: Tue, 26 Nov 2013 16:14:32 +0000
You will likely receive other and better answers. There are several approaches for the same problem. In term of forensic investigation, unless you have a commercial software which can assist in the identification of the malware, I would focus in your FW or adding a FW in the suspicious subnet. You need to identify the outbound traffic and from where the attack comes from. In fact, reading your e-mail, I am under the impression that you are not sure about it. Some FW have good analytic but if that is not your case, then you need help from a SIEM package which triggers an alert when the malware kicks-off. Snort can also help with the outbound traffic, but you need to identify which computer or sub-net is affected if you have a large IT security environment with thousands of computers and tens of sub-nets. If your SMTP server is UNIX and listening at port 25, you can also use the access list and relay-domains, but it may cause some inconvenient with your users and the way how the e-mails are handled, when you start filtering. Salvatore ILardo On 11/25/2013 05:50 PM, Daniel Calvo Castro wrote:
Hi list, I´m new to network forensics and I´m wondering what would be the best approach in order to detect a possible malware which is attacking a famous online site from inside my organization on port 25 as far as I know, that is what I thought in first instance: - Take Core? switch,configure port mirroring and start sniffing with snort, filtering by ip address of the online site being attacked and store the bunch of data for further analysis and reporting. Is there some further measures / resources / tools / open source projects or experience that would help me to detect the compromised system? Im reading Malware Analysis Cookbook and getting some cool ideas. Any help would be appreciated Thanks in advance! ------------------------------------------------------------------------------ Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Malware detection with Snort Daniel Calvo Castro (Nov 26)
- Re: Malware detection with Snort Salvo (Nov 26)
- Re: Malware detection with Snort Mayur Patil (Nov 26)
- <Possible follow-ups>
- Re: Malware detection with Snort Maxwell, Jamison [HDS] (Nov 26)
- Re: Malware detection with Snort Salvo (Nov 26)