New network-wide parasite detection and Spyware Blocklist

Discussion in 'Spyware' started by sponge, Oct 4, 2003.

  1. sponge

    sponge Guest

    This is a two-part message. Well, first, I want to let everyone know
    that I've put together a "Parasite Detection System" for Snort, which
    allows admins and security personnel to identify the presence and
    kinds of most common parasites (spyware, adware, DNS and browser
    hijackers, some trojans like and including Qhosts, etc.) Needless to
    say, this is critical to defend against data leakage, compromised
    applications, identifying apps with lax security controls (i.e. IE
    :), and violations of company policy. There are two versions, the
    "basic" and the "advanced". The Basic is a listing of IPs, and is very
    fast, since it doesn't use content-matching. The Advanced is a bit
    more sophisticated and can detect inbound threats, and also makes use
    of FlexResp.

    Here's the thing: the Basic version is fine and ready to go, so if you
    want to find out what bad stuff is running on your network, go get it
    and chekc bakc for updates every once in awhile.

    The Advanced version still needs some testing, though. I set it up to
    use FlexResp to kill connections-in-progress, but FlexResp is VERY
    quirky. I really, really would like to offer the ability to terminate
    malicious connections, but FlexResp doesn't seem all that reliable.
    Anybody have any input or would like to test it?

    Oh yeah, naturally, I've also updated the firewall rulesets and lists
    -- pretty much everything is on there now. I hit the limit of the
    number of rules Kerio will allow, so any modifications will be at the
    expense of existing rules. The text file (blockips.txt) will continue
    to grow. (As much as I wish it didn't need to...)

    P.S. Direct comments to . My regular account is
    full. Thanks.

    Sponge's Security Solutions
    Yes, I'm into alliteration...
    sponge, Oct 4, 2003
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.