Re: Best way to look for Worms/Malware

[Henri Salo <henri () nerv fi>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, 11 Sep 2010 10:34:51 -0500
Todd Haverkos <infosec () haverkos com> wrote:

> Henri Salo <henri () nerv fi> writes:
>
> > On Mon, 8 Feb 2010 11:52:34 -0700
> > dhamm () cinci rr com wrote:
> >
> > > While this might be a question for the IDS mailing list, I think it
> > > is a good Security Basics question too, as I am sure many of us
> > > getting into Security will have a similar question. I have a client
> > > that wants to get an idea whether or not there is anything roaming
> > > on the background on the network. He is running on an older non
> > > managed switch network, and wants to know what would be a good way
> > > to set up some kind of detector, besides having patching and anti
> > > virus. So my question is, should he setup an IDS of some kind,
> > > preferably something that can be setup quickly, with the
> > > understanding that he wants to setup a more permanent IDS solution
> > > in the near future. Or should he do some sort of IDS/Honeypot
> > > combination?  Any suggestions would be appreciated. 
> > >
> > > Thanks,
> > > David Hamm
> >
> > My sugestions: nmap, snort and nepenthes
> >
> > http://nmap.org/
> > http://www.snort.org/
> > http://nepenthes.carnivore.it/
>
> Snort is a very good suggestion.  He'll need to get all network
> traffic to it, however, so his existing switch may not have a span
> port. 

One can also configure IDS/IPS using pass-trough network-card or just
configure it to be middle of the traffic as bridge.

Best regards,
Henri
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkyOe3gACgkQXf6hBi6kbk+2+gCfSDV5M5mHiHpFRkHE/q3HAHfE
huoAnR5lNFLkuN7FHrLwRoYElynfRXZe
=nbh3
-----END PGP SIGNATURE-----