To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- The outbound firewalling is always a good thing, but IDS is still the way to go.
IDS signatures being 'behind' isn't the same as you'd think in other industries. The botnets have been using the same C&C mechanisms for years now, and we've had coverage for years. We're seeing a couple of new C&C channels come up, even encrypted ones, but we've already got signatures for them that are effective. The lag for IDS sig development to new botnet technologies is hours or days. What's going to hit you for the forseeable future already has signatures. Matt Thomas Raef wrote: > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > ---------- > > > ------------------------------------------------------------------------ > > I've been detecting and notifying botnets with > iptables/layer7/squid/squidguard. With the small networks I work with, > there is no IRC traffic. I use the l7-filter add-in for iptables to > detect all outgoing IRC traffic rather than just the default port 6667. > > This has worked well, however with the proliferation of custom P2P C&C > traffic and other methods of C&C, I don't feel that this system will be > the "cat's meow" for very long. I have started using squid's proto http > to try and test for "other than normal port 80" traffic but I'm not sure > how well that will work. I block everything by default and only allow > what is absolutely necessary, but I feel the bot authors are much, much > smarter than I. > > What are other people doing to catch these bots without going to a > signature based system like an IDS? I originally tried to use > Snort-inline, and it works but it's limited to the most recent > signature, which always seems a step or two behind. > > I'm interested to see what others are using... > > ------------------------------------------------------------------------ > *From:* Gadi Evron [mailto:[EMAIL PROTECTED] > *Sent:* Tue 10/24/2006 8:52 AM > *To:* [email protected] > *Subject:* [botnets] Re-branding IPS as an anti botnet tool > > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > ---------- > I have seen a PR last month from Mcafee on this issue, and now they issued > another one. > > For most cases, I don't believe in IDS products. > > I think that trying to pitch I[DP]S as a solution for botnets is > technologically silly, but marketing-wise right on the spot. As THE > solution it is plain and simple silly. > A lot of security vendors will now start taking that approach, dealing > with the buzzword. > > An IPS will not cure your botnet problems. It may help pinpoint some bots > (or similar) on your network, which is important, but that's about it. > > I wish Mcafee all the luck in the world, but this is, in my opinion, way > way way over-hyped: > http://www.mcafee.com/us/local_content/white_papers/wp_botnet.pdf > > In another PR they present a case study on how they saved a south American > country from a botnet attack using their IPS. I would like to see > more.. or something, to back it up as to how, before I state my opinion. > > What do you think? > > Gadi. > > _______________________________________________ > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > All list and server information are public and available to law > enforcement upon request. > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > > > ------------------------------------------------------------------------ > > _______________________________________________ > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > All list and server information are public and available to law enforcement > upon request. > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 http://www.bleedingthreats.com -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
