To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ----------Title: [botnets] Re-branding IPS as an anti botnet tool
I've been detecting and notifying botnets with iptables/layer7/squid/squidguard. With the small networks I work with, there is no IRC traffic. I use the l7-filter add-in for iptables to detect all outgoing IRC traffic rather than just the default port 6667.This has worked well, however with the proliferation of custom P2P C&C traffic and other methods of C&C, I don't feel that this system will be the "cat's meow" for very long. I have started using squid's proto http to try and test for "other than normal port 80" traffic but I'm not sure how well that will work. I block everything by default and only allow what is absolutely necessary, but I feel the bot authors are much, much smarter than I.What are other people doing to catch these bots without going to a signature based system like an IDS? I originally tried to use Snort-inline, and it works but it's limited to the most recent signature, which always seems a step or two behind.I'm interested to see what others are using...
From: Gadi Evron [mailto:[EMAIL PROTECTED]
Sent: Tue 10/24/2006 8:52 AM
To: [email protected]
Subject: [botnets] Re-branding IPS as an anti botnet toolTo report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
I have seen a PR last month from Mcafee on this issue, and now they issued
another one.
For most cases, I don't believe in IDS products.
I think that trying to pitch I[DP]S as a solution for botnets is
technologically silly, but marketing-wise right on the spot. As THE
solution it is plain and simple silly.
A lot of security vendors will now start taking that approach, dealing
with the buzzword.
An IPS will not cure your botnet problems. It may help pinpoint some bots
(or similar) on your network, which is important, but that's about it.
I wish Mcafee all the luck in the world, but this is, in my opinion, way
way way over-hyped:
http://www.mcafee.com/us/local_content/white_papers/wp_botnet.pdf
In another PR they present a case study on how they saved a south American
country from a botnet attack using their IPS. I would like to see
more.. or something, to back it up as to how, before I state my opinion.
What do you think?
Gadi.
_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets_______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
