[Snort-users] Malware detection with Snort

Maxwell, Jamison [HDS] JMaxwell at ...16424...
Tue Nov 26 13:37:25 EST 2013

I have excellent success with catching malware in my user networks.  First, it's been a good practice for several years now to block outbound 25 on user segments, that way you users have to go through a configured relay in order to send mail.  There are many ways to accomplish this, though, but I would be hesitant to offer any specific advice without an understanding of you network.  Moving to snort, I bridge/span the WAN and LAN interfaces on my firewall to a sensor interface on my IDS.  This way, you can capture inbound and outbound with one tap.  When packets come up that match the spyware signatures, I run the internal IP address against a powershell script I wrote to get the hostname and the currently logged in user.  

Jamison Maxwell
Sr. Systems Administrator
HD Supply - Facilities Maintenance

-----Original Message-----
From: snort-users-request at lists.sourceforge.net [mailto:snort-users-request at lists.sourceforge.net] 
Sent: Tuesday, November 26, 2013 12:40 PM
To: snort-users at lists.sourceforge.net
Subject: Snort-users Digest, Vol 90, Issue 34

Send Snort-users mailing list submissions to
	snort-users at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
or, via email, send a message with subject or body 'help' to
	snort-users-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-users-owner at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..."

More information about the Snort-users mailing list