[Snort-users] was--Matt Jonkman in the new Hakin9--now detecting infections
YorkJ at ...7109...
Thu Feb 3 14:33:42 EST 2011
True. It's easy to pick on Joe, and hard to resist sometimes...
From: Jefferson, Shawn [mailto:Shawn.Jefferson at ...14448...]
Sent: Thursday, February 03, 2011 2:26 PM
To: John York; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] was--Matt Jonkman in the new Hakin9--now detecting infections
"If Joe Clueless clicks on enough bad things"
I often see this sort of comment from security folks, but unfortunately with the threats on the web today, it's very difficult for Joe Clueless to indentify "bad things". Search results are poisoned (and a lot of very obscure stuff as well, not just current events), legitimate sites are compromised, syndicated ads are malicious, etc...
From: John York [mailto:YorkJ at ...7109...]
Sent: Thursday, February 03, 2011 6:43 AM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] was--Matt Jonkman in the new Hakin9--now detecting infections
I agree wholeheartedly. My biggest concern is getting to the infected machines ASAP, so that's what I *really* want alerts on. The IPS, firewall, AV, web filter, no admin rights for users, etc all do what they can to prevent compromises. If Joe Clueless clicks on enough bad things, one of them will get him eventually and the trick is to get the computer isolated immediately.
BotHunter is a Snort-based system for detecting infections. I've wanted to test it but have never had time. Has anyone had good results with it? ( I know I'm OT, but it is Snort based--maybe only one drink ;-)
More information about the Snort-users