[Snort-sigs] Snort for detecting spyware?
cmg at ...435...
Sun May 5 21:28:02 EDT 2002
"Imran William Smith" <iwsmith at ...500...> writes:
> Has anybody done any work on detecting spyware with
> snort? Seems like the logical way to do it, but looks
> like most approaches so far are host-based.
> Several advantages to network method :
> 1) not necessary to install software on each desktop
> 2) one client gets 'infected' with known spyware -> can
> then block offending external sites for the whole organisation
> at the firewall (or flex response).
> 3) very quick method to determine scale of the problem
> I have contacted the people at www.lavasoftusa.com who
> develop the well respected ad-aware product, asking them
It's pretty easy because most of the spyware stuff reports to a
central ip and you can just alert on the IP or use other traffic
analysis tools to find them
Chris Green <cmg at ...435...>
Laugh and the world laughs with you, snore and you sleep alone.
More information about the Snort-sigs