RE: [Full-disclosure] what can be done with botnet C&C's?

[billn () billn net]

On Thu, 17 Aug 2006, Jordan Medlen wrote:

> I'm sure most people on this list have heard of or use snort. There is an
> add-on package called snortsam. This package allows automation of blocking
> traffic deemed malicious via a null route statement or ACL statement. We
> have been in the process over the last month of implementing this on our
> network with much success. I think the only problem that we have had with it
> thus far is underestimating just how well it was actually going to work. As
> with any snort implementation, it takes time to tweak and tune the rule
> sets, however we have managed to kill a huge amount of traffic either coming
> from our customers or destined to our customers. While this is not a perfect
> system, it is much better than idly sitting there and letting the abuse
> continue.
>
> ---
> Jordan Medlen
> Chief Technology Officer and Architect
> Sago Networks 

Is this the kind of thing that could get a boost from projects like 
ThreatNet (http://www.ali.as/threatnet/)?

I've been peripherally involved with the project, mostly in chasing 
conceptual issues and hammering out the trust relationship details, in 
addition to being an rabid, er, avid developer of network management 
tools, right down to near-real time log analyzers. I think that if you're 
to a point that you trust your tools enough to make an informed decision 
and automate your null routes, why not expand on that and use the same 
networked intelligence the C&C's embody?

- billn