[Snort-users] Malware detection with Snort
Maxwell, Jamison [HDS]
JMaxwell at ...16424...
Tue Nov 26 13:37:25 EST 2013
I have excellent success with catching malware in my user networks. First, it's been a good practice for several years now to block outbound 25 on user segments, that way you users have to go through a configured relay in order to send mail. There are many ways to accomplish this, though, but I would be hesitant to offer any specific advice without an understanding of you network. Moving to snort, I bridge/span the WAN and LAN interfaces on my firewall to a sensor interface on my IDS. This way, you can capture inbound and outbound with one tap. When packets come up that match the spyware signatures, I run the internal IP address against a powershell script I wrote to get the hostname and the currently logged in user.
Sr. Systems Administrator
HD Supply - Facilities Maintenance
From: snort-users-request at lists.sourceforge.net [mailto:snort-users-request at lists.sourceforge.net]
Sent: Tuesday, November 26, 2013 12:40 PM
To: snort-users at lists.sourceforge.net
Subject: Snort-users Digest, Vol 90, Issue 34
Send Snort-users mailing list submissions to
snort-users at lists.sourceforge.net
To subscribe or unsubscribe via the World Wide Web, visit
or, via email, send a message with subject or body 'help' to
snort-users-request at lists.sourceforge.net
You can reach the person managing the list at
snort-users-owner at lists.sourceforge.net
When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..."
More information about the Snort-users