[转载]Assessing your Malware Exposure with Snort
原始连接:<A href="http://www.kgb.to/malware.html">[url]http://www.kgb.to/malware.html[/url]</A><BR><BR>You are trying to block malware with firewalls, intrusion detection and content filtering, but is it working? With <A href="http://www.snort.org/">Snort</A> and a couple of rules that Brendan O'Connor and myself have written you can find out.<BR><BR>Before you snag the rules there are a few things you should know about them:<BR>- They key off of the domain name and not the IP address.<BR>- They only look at the ports you have designated as $HTTP_PORTS.<BR>- They only look at established connections. I did this because I really don't care if a host is trying to get out as long as a firewall or other control is blocking them.<BR>- They should be considered beta versions. If you have any ideas for improvements please let me know.<BR><BR>The first of the rules, <A href="http://www.kgb.to/malware.rules">malware.rules</A> is intended to detect data that is successfully leaking to domains known for malicious activity. Such activity includes but is not limited to the use of tracking cookies, drive-by installs of software, or use as controller servers for spyware.<BR><BR>Note that many sites are responsible for several types of malware, so the name indicated in the rule may not match the malware that is actually on or supported by the host.<BR><BR>Malware.rules contains thousands of rules, but it can't catch everything. To help compensate for it's deficiencies we created <A href="http://www.kgb.to/countries.rules">countries.rules</A> as well. It looks for successful HTTP traffic to domains by country code. You will likely be amazed when you discover where some banner ads reside...页:
[1]