[Snort-users] was--Matt Jonkman in the new Hakin9--now detecting infections

Jefferson, Shawn Shawn.Jefferson at ...14448...
Thu Feb 3 14:26:08 EST 2011


"If Joe Clueless clicks on enough bad things"

I often see this sort of comment from security folks, but unfortunately with the threats on the web today, it's very difficult for Joe Clueless to indentify "bad things".  Search results are poisoned (and a lot of very obscure stuff as well, not just current events), legitimate sites are compromised, syndicated ads are malicious, etc...


-----Original Message-----
From: John York [mailto:YorkJ at ...7109...] 
Sent: Thursday, February 03, 2011 6:43 AM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] was--Matt Jonkman in the new Hakin9--now detecting infections

I agree wholeheartedly.  My biggest concern is getting to the infected machines ASAP, so that's what I *really* want alerts on.  The IPS, firewall, AV, web filter, no admin rights for users, etc all do what they can to prevent compromises.  If Joe Clueless clicks on enough bad things, one of them will get him eventually and the trick is to get the computer isolated immediately.

BotHunter is a Snort-based system for detecting infections.  I've wanted to test it but have never had time.  Has anyone had good results with it?  ( I know I'm OT, but it is Snort based--maybe only one drink ;-)

Thanks
John




More information about the Snort-users mailing list