To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- Thomas Raef wrote: > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > ---------- > I've been using a linux box with iptables and l7-filter to detect > botnets on local networks. > > It's done quite a fine job of detecting the traffic rather than just > identifying it by destination port. > > Anyone else trying this?
Yes, with snort. But you have to constantly tune your rules to maximize your valid hits and minimize the FPs. By the time you have a really good signature (that you would trust to block via snortsam/snort-inline/etc) for a bot, it usually only works for that specific variant. The more difficult and time-consuming part is using more generic signatures to flag 'suspicious' IRC traffic and manually scouring the results trying to separate out the bycatch and/or fine-tune a sig to catch the positives. Jeff _______________________________________________ botnets mailing list To report a botnet PRIVATELY please email: [EMAIL PROTECTED] http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
