Snort mailing list archives
Re: Malware detection with Snort
From: "Maxwell, Jamison [HDS]" <JMaxwell () PBP1 COM>
Date: Tue, 26 Nov 2013 13:37:25 -0500
I have excellent success with catching malware in my user networks. First, it's been a good practice for several years now to block outbound 25 on user segments, that way you users have to go through a configured relay in order to send mail. There are many ways to accomplish this, though, but I would be hesitant to offer any specific advice without an understanding of you network. Moving to snort, I bridge/span the WAN and LAN interfaces on my firewall to a sensor interface on my IDS. This way, you can capture inbound and outbound with one tap. When packets come up that match the spyware signatures, I run the internal IP address against a powershell script I wrote to get the hostname and the currently logged in user. Jamison Maxwell Sr. Systems Administrator HD Supply - Facilities Maintenance -----Original Message----- From: snort-users-request () lists sourceforge net [mailto:snort-users-request () lists sourceforge net] Sent: Tuesday, November 26, 2013 12:40 PM To: snort-users () lists sourceforge net Subject: Snort-users Digest, Vol 90, Issue 34 Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-owner () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." ------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Malware detection with Snort Daniel Calvo Castro (Nov 26)
- Re: Malware detection with Snort Salvo (Nov 26)
- Re: Malware detection with Snort Mayur Patil (Nov 26)
- <Possible follow-ups>
- Re: Malware detection with Snort Maxwell, Jamison [HDS] (Nov 26)
- Re: Malware detection with Snort Salvo (Nov 26)