[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: [Emerging-Sigs] Emerging-sigs Digest, Vol 3, Issue 28
From: jim.mcquaid () gmail ! com (Jim McQuaid)
Date: 2008-02-22 0:52:52
Message-ID: fe7b01530802211652i6b9a8ab1we38115452df9f1e0 () mail ! gmail ! com
[Download RAW message or body]
I appreciate the excellent suggestions James and Matt. A while back I
had set BH DNS to redirect to a local IP (which I had an IP Tables
drop and log rule for), but obviously Smoothwall didn't give me the
domain information. I haven't run LaBrea on Smoothwall v 3.0 yet, but
that had crossed my mind as well.
I do have Snort Inline running in between the clients and Smoothwall,
so I can "run snort with the IP of your listener defined as an
external_net". This is a *terrific* idea! Of the 4 Snort instances I
have, the least shows up on the inside, and I can capture the
offending packets and see everything that is going on. I'm going to
set this up right now :)
Jim McQuaid
> The only thing that I would be concerned about is udp and non http traffic
> wouldn't get logged. I did see a udp based C&C about a year ago that was
> using encrypted udp/53 for outbound C&C communications.
>
> --James
> That's a good point James. There could be dns based C&C going there.
>
> Maybe run snort with the IP of your listener defined as an external_net.
> That'll help at least.
>
> Matt
> > > I have 113,000 objects blackholed, and cannot run the corresponding
> > > snort sigs without dedicating an entire box to it. What I want is a
> > > DNS-generated entry in my IDS or firewall logs indicating the local
> > > machine that made the connection attempt, and the blacklisted object
> > > by name, and I want to do this without using Squid. A succinct, plain
> > > text log would suffice. So, I've retrieved my handful of DNS
> > > programming books.
--
James McQuaid
http://www.jamesmcquaid.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic