[Intrusions] Assessing Your Malware Exposure with Snort

Matt Jonkman matt at infotex.com
Sun Feb 20 16:19:47 GMT 2005 

My concern is sensor load with that many pcre's though. What are you 
seeing? is it pushing sensors into packet dropping to keep up?

Matt

Mark E. Donaldson wrote:
>  Thanks. These are great and error-free. I've got them running on five
> sensors without a single adjust required.
> 
> -----Original Message-----
> From: intrusions-bounces at lists.sans.org
> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of Cory.Bys at fbol.com
> Sent: Tuesday, February 15, 2005 8:39 AM
> To: intrusions at lists.sans.org
> Subject: [Intrusions] Assessing Your Malware Exposure with Snort
> 
> I have written a few thousand Snort rules that are intended to detect
> successful HTTP communication with hosts known to be evil. They look for
> domain names in the Host string so they are not subject to evasion by
> changing IP addresses.
> 
> If you would like to give them a try you can grab them from
> http://www.kgb.to/malware.html .
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> *******************    N O T I C E    *******************
> The information contained in this e-mail, and in any accompanying documents,
> may constitute confidential and/or legally privileged information.  The
> information is intended only for use by the designated recipient.  If you
> are not the intended recipient (or responsible for the delivery of the
> message to the intended recipient), you are hereby notified that any
> dissemination, distribution, copying, or other use of, or taking of any
> action in reliance on this e-mail is strictly prohibited.  If you have
> received this e-mail communication in error, please notify the sender
> immediately and delete the message from your system.
> ***************************************************
> 
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
> 
> ########################################################
> This message has been scanned for viruses and dangerous content by
> MailScanner, and is believed to be clean.
> 
> postmaster at bandwidthco.com
> MailScanner at bandwidthco.com is for your absolute protection.
> ########################################################
> 
> 
> 
> 
> ########################################################
> This message has been scanned for viruses and dangerous 
> content by MailScanner, and is believed to be clean.
> 
> postmaster at bandwidthco.com
> MailScanner at bandwidthco.com is for your absolute protection.
> ########################################################
> 
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions

-- 
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
www.bleedingsnort.com
--------------------------------------------


NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.

More information about the Intrusions mailing list