To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- Jeff Kell wrote:
>To report a botnet PRIVATELY please email: [EMAIL PROTECTED] >---------- >Thomas Raef wrote: > > >>To report a botnet PRIVATELY please email: [EMAIL PROTECTED] >>---------- >>I've been using a linux box with iptables and l7-filter to detect >>botnets on local networks. >> >>It's done quite a fine job of detecting the traffic rather than just >>identifying it by destination port. >> >>Anyone else trying this? >> >> > >Yes, with snort. But you have to constantly tune your rules to maximize your >valid hits and minimize the FPs. By the time you have a really good signature >(that you would trust to block via snortsam/snort-inline/etc) for a bot, it >usually only works for that specific variant. > >The more difficult and time-consuming part is using more generic signatures to >flag 'suspicious' IRC traffic and manually scouring the results trying to >separate out the bycatch and/or fine-tune a sig to catch the positives. > > That's always been a problem.... finding good and effective Snort rules. Although Snort has a good collection of rules, we need a more refined list of rules for detecting the bots. Does anyone know of a good set of snort rules for detecting them? John _______________________________________________ botnets mailing list To report a botnet PRIVATELY please email: [EMAIL PROTECTED] http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
