Simon Lyall <simon(a)darkmere.gen.nz> writes:
On Thu, 24 Feb 2005, Juha Saarinen wrote:
On a more serious note, if wormy traffic of
various kinds could be
fingerprinted with a reasonable degree of accuracy, it could be useful.
There are papers out there on this, it's not that hard ( grep "MX" in the
query logs for your DNS servers for a start) especially if you have
spent the big bucks to log all the customer's traffic already.
Most worms - both email-borne and the Sasser/Korgo/Welchia types -
make snort light up like a Christmas tree. As you say, it's not hard
to find infected machines.
The hard bit is doing something with the list of
customers once you
have identified them.
Disconnection works for me, but we're not exactly an ISP.
The other option I suppose is to drop the user into some sort of
quarantine area where they can obtain antivirus and OS updates and
can't touch anything else.
James Riden / j.riden(a)massey.ac.nz / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/