[Snort-sigs] Snort for detecting spyware?

Chris Green cmg at ...435...
Sun May 5 21:28:02 EDT 2002


"Imran William Smith" <iwsmith at ...500...> writes:

> Has anybody done any work on detecting spyware with
> snort?  Seems like the logical way to do it, but looks
> like most approaches so far are host-based.
>
> Several advantages to network method : 
>
> 1) not necessary to install software on each desktop
> 2) one client gets 'infected' with known spyware -> can
> then block offending external sites for the whole organisation
> at the firewall (or flex response).
> 3) very quick method to determine scale of the problem
>
> I have contacted the people at www.lavasoftusa.com who
> develop the well respected ad-aware product, asking them

It's pretty easy because most of the spyware stuff reports to a
central ip and you can just alert on the IP or use other traffic
analysis tools to find them
-- 
Chris Green <cmg at ...435...>
Laugh and the world laughs with you, snore and you sleep alone.




More information about the Snort-sigs mailing list