To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- It helps greatly! Thanks for the advice :)
At home I'm running a simple iptables setup. At work we're running two openbsd firewall machines talking via carp. We're also making a huge push to migrate from our freebsd backend to a windows backend, and in the mix somewhere is replacing the openbsd firewalls with two HA paired pix 515e's. The old ids was a sun netra x1 that some genius formatted and put freebsd on. After that they apparently were never touched, so the database grew large with false positives and began to slow the box down. Once I came on board and took a look at these things they were so slow I would often get http timeouts trying to browse the data. I quickly ripped them out and I'm looking for something better. This place currently doesn't have any IDS systems at the moment, and I'd like to find myself in a situation where I can report potential bot infections from work, and potential existing bots from home, then attempt to correlate the data. -Dan Jose Nazario wrote: > On Tue, 13 Jun 2006, dan wrote: > >> I was curious how many people on the list are using active response >> systems for their IDS installations. If so, which ones? > > since you said that you're using snort, i don't know if you have linux > firewalling enabled or not, but if so: > > http://www.stearns.org/snort2iptables/ > > if you're using openbsd+pf, check out snort2c: > > http://snort2c.sourceforge.net/ > > or snort2pf: > > http://www.thinknerd.org/~ssc/wiki/doku.php?id=snort2pf > > there are also plugins for Checkpoint SAM integration (snortsam). and > also snort-inline (in IPS mode). > > in short, lots of ways to block known offending hosts with snort. just > make sure that youre ruleset is up to snuff. > > you may also want to mix it with something to watch your SSH logs to > track brute forcing attempts (and insert the appropriate FW rules) and > also your apache access attempts (ie to stop those mambo attempts). > > also, if you're worried about bots getting OUT of your network once > they've attacked, you can look at things like null routing if you can > get a list of known botnets and have them updated frequently enough, or > you can also firewall the destination hosts. this would block the bot > from successfully getting to the C&C server; it wont block the bot's > propagation attempts. clearly, keeping up to date on patches and > auditing for NULL or weak passwords will stop most bot propagations; it > wont stop the Trojan horse infection vector, though. keep your AV up to > date and you'll track most malware (but, i do have to admit, most of the > bots i catch and analyze are poorly detected by AV, if at all). > > hope this helps, > > ________ > jose nazario, ph.d. [EMAIL PROTECTED] > http://monkey.org/~jose/ http://monkey.org/~jose/secnews.html > http://www.wormblog.com/ _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
