Snort definitely qualifies as an IPS. On Jun 14, 2013 10:40 PM, "Simon Vass" <[email protected]> wrote:
> True, but it can also take action based on those rules such as closing > ports, blocking IP's etc. so preventing it's spread or initial infection > via a network connection. > > This is a link to their analysis of it > http://labs.snort.org/papers/zeus.html > > > http://santi-bassett.blogspot.co.uk/2012/09/ossim-hands-on-7-detecting-network.html > > > > Simon > > On 14 June 2013 16:18, Peter Atkin <[email protected]> wrote: > >> Ahh understand thanks for the clarification.**** >> >> ** ** >> >> Kind Regards **** >> >> **** >> >> Peter Atkin**** >> >> (C.T.O)**** >> >> cfts.co (u) ltd.**** >> >> **** >> >> Get I.T.Right **** >> >> +256-772-700781 | Skype: peter2cfu**** >> >> www.cfts.co.ug <http://www.cfts.co/> | location >> details<http://www.cfts.co/contacts.html>| view >> my profile <http://ug.linkedin.com/in/peteratkin>**** >> >> ** ** >> >> *From:* James S. K. Makumbi [mailto:[email protected]] >> *Sent:* Friday, June 14, 2013 6:08 PM >> >> *To:* [email protected]; 'Uganda Linux User Group' >> *Subject:* RE: [LUG] Zeus Botnet C&C in our neighbourhood**** >> >> ** ** >> >> Snort is more about intrusion detection and network monitoring. What you >> are looking for is an intrusion prevention system.**** >> >> ** ** >> >> *From:* [email protected] >> [mailto:[email protected]<[email protected]>] >> *On Behalf Of *Peter Atkin >> *Sent:* 14 June 2013 17:57 >> *To:* [email protected]; 'Uganda Linux User Group' >> *Subject:* Re: [LUG] Zeus Botnet C&C in our neighbourhood**** >> >> ** ** >> >> Tel me more, not familiar with snort rules… always ready to learn and >> share.**** >> >> ** ** >> >> Kind Regards **** >> >> **** >> >> Peter Atkin**** >> >> (C.T.O)**** >> >> cfts.co (u) ltd.**** >> >> **** >> >> Get I.T.Right **** >> >> +256-772-700781 | Skype: peter2cfu**** >> >> www.cfts.co.ug <http://www.cfts.co/> | location >> details<http://www.cfts.co/contacts.html>| view >> my profile <http://ug.linkedin.com/in/peteratkin>**** >> >> ** ** >> >> *From:* Simon Vass [mailto:[email protected] <[email protected]>] >> *Sent:* Friday, June 14, 2013 5:24 PM >> *To:* [email protected]; Uganda Linux User Group >> *Subject:* Re: [LUG] Zeus Botnet C&C in our neighbourhood**** >> >> ** ** >> >> I think snort rules might cover both of these. Great firewall IDS.**** >> >> On 14 June 2013 11:14, Peter Atkin <[email protected]> wrote:**** >> >> Hi Philip,**** >> >> **** >> >> My Bad should have read more thoroughly Zeus and SpyEye are competing >> products working in a similar fashion, uploading IP block list now into our >> firewall for both Zeus and SpyEye.**** >> >> >> Certainly do not want to be victim of a bot net take over or attack.. >> thanks for the heads up**** >> >> **** >> >> Kind Regards **** >> >> **** >> >> Peter Atkin**** >> >> (C.T.O)**** >> >> cfts.co (u) ltd.**** >> >> **** >> >> Get I.T.Right **** >> >> +256-772-700781 | Skype: peter2cfu**** >> >> www.cfts.co.ug <http://www.cfts.co/> | location >> details<http://www.cfts.co/contacts.html>| view >> my profile <http://ug.linkedin.com/in/peteratkin>**** >> >> **** >> >> *From:* [email protected] [mailto:[email protected]] *On >> Behalf Of *Phillip Simbwa >> *Sent:* Friday, June 14, 2013 12:47 PM >> *To:* lug >> *Subject:* Re: [LUG] Zeus Botnet C&C in our neighbourhood**** >> >> **** >> >> @Peter (Atkin)**** >> >> >> The link I shared specifically tracks Zeus NOT SpyEye!**** >> >> Here is the link sent earlier: https://zeustracker.abuse.ch/index.php**** >> >> And this is what I posted: >> ************************************************************** >> Zeus is one of the most successful financial botnets in the history of >> botnets. >> Its very sophisticated and hard to detect let alone decisively deal with. >> It was has been used to hit mainly financial institutions but the recent >> trend is hitting any corporate organization. >> >> Why should you worry? >> >> There is a command and control (C&C) server in Rwanda and its been there >> since last year. >> https://zeustracker.abuse.ch/index.php >> The ISP serving this server happens to be MTN Rwandacell. >> >> Our UGCERT could start watching for any traffic terminating to that server >> (IP: 41.186.24.58) just in case that turns out to be the regional C&C . >> >> For the CIOs, check your network logs just in case... >> >> Cheers, >> >> -- >> - Phillip. >> >> ******************************************************************** >> >> **** >> >> The links you have provided however track SpyEye and indeed there isn't >> any SpyEye C&C on that server in Rwanda.**** >> >> **** >> >> I think your were using looking for the wrong thing here...**** >> >> **** >> >> >> -- >> - Phillip. >> >> “Aoccdrnig to rscheearch at an Elingsh uinervtisy, it deosn't mttaer in >> waht >> oredr the ltteers in a wrod are, the olny iprmoetnt tihng is taht the >> frist >> and lsat ltteer are in the rghit pclae. >> The rset can be a toatl mses and >> you can sitll raed it wouthit a porbelm. Tihs is bcuseae we do not raed >> ervey lteter by it slef but the wrod as a wlohe and the biran fguiers it >> out aynawy." **** >> >> ** ** >> >> >> __________________________________________________________________________________ >> This e-mail is company confidential and may contain legally privileged >> information. >> If you are not the intended recipient, you should not copy, distribute, >> disclose or use the information it contains. Please e-mail the sender >> immediately and delete this message from your system. >> Note: e-mails are susceptible to corruption, interception and >> unauthorized amendment; we do not accept liability for any such changes, or >> for their consequences.**** >> >> >> _______________________________________________ >> The Uganda Linux User Group: http://linux.or.ug >> >> Send messages to this mailing list by addressing e-mails to: >> [email protected] >> Mailing list archives: http://www.mail-archive.com/[email protected]/ >> Mailing list settings: http://kym.net/mailman/listinfo/lug >> To unsubscribe: http://kym.net/mailman/options/lug >> >> The Uganda LUG mailing list is generously hosted by INFOCOM: >> http://www.infocom.co.ug/ >> >> The above comments and data are owned by whoever posted them (including >> attachments if any). The mailing list host is not responsible for them in >> any way.**** >> >> >> >> **** >> >> ** ** >> >> -- >> Simon Vass**** >> >> Managing Director**** >> >> E-Tech Uganda Ltd**** >> >> http://www.etech.ug**** >> >> Tel: +256 (0) 312260620**** >> >> Email: [email protected]**** >> >> ** ** >> >> >> >> __________________________________________________________________________________ >> This e-mail is company confidential and may contain legally privileged >> information. >> If you are not the intended recipient, you should not copy, distribute, >> disclose or use the information it contains. Please e-mail the sender >> immediately and delete this message from your system. >> Note: e-mails are susceptible to corruption, interception and >> unauthorized amendment; we do not accept liability for any such changes, or >> for their consequences.**** >> >> >> __________________________________________________________________________________ >> This e-mail is company confidential and may contain legally privileged >> information. >> If you are not the intended recipient, you should not copy, distribute, >> disclose or use the information it contains. Please e-mail the sender >> immediately and delete this message from your system. >> Note: e-mails are susceptible to corruption, interception and >> unauthorized amendment; we do not accept liability for any such changes, or >> for their consequences. >> >> _______________________________________________ >> The Uganda Linux User Group: http://linux.or.ug >> >> Send messages to this mailing list by addressing e-mails to: >> [email protected] >> Mailing list archives: http://www.mail-archive.com/[email protected]/ >> Mailing list settings: http://kym.net/mailman/listinfo/lug >> To unsubscribe: http://kym.net/mailman/options/lug >> >> The Uganda LUG mailing list is generously hosted by INFOCOM: >> http://www.infocom.co.ug/ >> >> The above comments and data are owned by whoever posted them (including >> attachments if any). The mailing list host is not responsible for them in >> any way. >> > > > > -- > Simon Vass > Managing Director > E-Tech Uganda Ltd > http://www.etech.ug > Tel: +256 (0) 312260620 > Email: [email protected] > > > _______________________________________________ > The Uganda Linux User Group: http://linux.or.ug > > Send messages to this mailing list by addressing e-mails to: > [email protected] > Mailing list archives: http://www.mail-archive.com/[email protected]/ > Mailing list settings: http://kym.net/mailman/listinfo/lug > To unsubscribe: http://kym.net/mailman/options/lug > > The Uganda LUG mailing list is generously hosted by INFOCOM: > http://www.infocom.co.ug/ > > The above comments and data are owned by whoever posted them (including > attachments if any). The mailing list host is not responsible for them in > any way. >
_______________________________________________ The Uganda Linux User Group: http://linux.or.ug Send messages to this mailing list by addressing e-mails to: [email protected] Mailing list archives: http://www.mail-archive.com/[email protected]/ Mailing list settings: http://kym.net/mailman/listinfo/lug To unsubscribe: http://kym.net/mailman/options/lug The Uganda LUG mailing list is generously hosted by INFOCOM: http://www.infocom.co.ug/ The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way.
