Comments on: Monitoring for Sober.Y with squid and swatch http://evilrouters.net/2006/01/05/monitoring-for-sober-y-with-squid-and-swatch/ im in ur datacentrz configurin' ur routerz Sat, 04 Sep 2010 06:16:45 +0000 hourly 1 http://wordpress.org/?v=3.0.1 By: NIF http://evilrouters.net/2006/01/05/monitoring-for-sober-y-with-squid-and-swatch/comment-page-1/#comment-44 NIF Wed, 30 Nov -0001 00:00:00 +0000 http://evilrouters.net/archives/172#comment-44 <p><strong>Bigger-Better-Faster-More</strong></p> <p>Today's dose of NIF - News, Interesting & Funny ... limited blogation weekend starting (+ Open Trackbacks)</p> Bigger-Better-Faster-More

Today’s dose of NIF – News, Interesting & Funny … limited blogation weekend starting (+ Open Trackbacks)

]]> By: Tom Wilson http://evilrouters.net/2006/01/05/monitoring-for-sober-y-with-squid-and-swatch/comment-page-1/#comment-45 Tom Wilson Wed, 30 Nov -0001 00:00:00 +0000 http://evilrouters.net/archives/172#comment-45 <p>BRILLIANT!!!</p> <p>;o)</p> BRILLIANT!!!

;o)

]]> By: matt richard http://evilrouters.net/2006/01/05/monitoring-for-sober-y-with-squid-and-swatch/comment-page-1/#comment-46 matt richard Wed, 30 Nov -0001 00:00:00 +0000 http://evilrouters.net/archives/172#comment-46 <p>It's certainly noble to monitor for infected hosts but why not take the simple next step and block the outgoing requests? Squid has native functionality to implement this using ACL's or alternatively you could use a redirector. There are several existing redirectors like squidguard that would work well or in such a simple case you could even write your own.</p> <p>The issue is that you'll know if one of your hosts is infected but you'll still be allowing the malicous update to occur. It would seem prudent to take the next step and block the sites you've identified.</p> <p>I manage a similar setup for about 9k mixed OS hosts and adding filtering for known malicous content generally adds little overhead.</p> It’s certainly noble to monitor for infected hosts but why not take the simple next step and block the outgoing requests? Squid has native functionality to implement this using ACL’s or alternatively you could use a redirector. There are several existing redirectors like squidguard that would work well or in such a simple case you could even write your own.

The issue is that you’ll know if one of your hosts is infected but you’ll still be allowing the malicous update to occur. It would seem prudent to take the next step and block the sites you’ve identified.

I manage a similar setup for about 9k mixed OS hosts and adding filtering for known malicous content generally adds little overhead.

]]> By: Jeremy http://evilrouters.net/2006/01/05/monitoring-for-sober-y-with-squid-and-swatch/comment-page-1/#comment-47 Jeremy Wed, 30 Nov -0001 00:00:00 +0000 http://evilrouters.net/archives/172#comment-47 <p>Personally, I agree with you WRT blocking. SANS made the recommendation not to do blocking, since the administrators of those hosts had been notified and the offending files were already removed from the servers.</p> <p>Since it wasn't really deemed a threat (and, TBH, my pager hasn't went off once from this), I didn't mind just monitoring as opposed to blocking.</p> <p>In just about any other case, including the recent WMF vulnerability, I would do whatever I could to <a href="http://www.jeremygaddis.com/2005/12/29/blocking-wmf-at-the-perimeter/">block the requests</a>, but I trust SANS and their recommendations.</p> <p>This was more of a learning exercise for me, with regards to swatch.</p> Personally, I agree with you WRT blocking. SANS made the recommendation not to do blocking, since the administrators of those hosts had been notified and the offending files were already removed from the servers.

Since it wasn’t really deemed a threat (and, TBH, my pager hasn’t went off once from this), I didn’t mind just monitoring as opposed to blocking.

In just about any other case, including the recent WMF vulnerability, I would do whatever I could to block the requests, but I trust SANS and their recommendations.

This was more of a learning exercise for me, with regards to swatch.

]]> By: jeremygaddis.com » Monitoring for Blackworm with swatc http://evilrouters.net/2006/01/05/monitoring-for-sober-y-with-squid-and-swatch/comment-page-1/#comment-48 jeremygaddis.com » Monitoring for Blackworm with swatc Wed, 30 Nov -0001 00:00:00 +0000 http://evilrouters.net/archives/172#comment-48 <p>[...] As kind of a follow-up to “Monitoring for Sober.Y with Squid and swatch“, I figured I’d throw up this post about monitoring for Blackworm with swatch. [...]</p> [...] As kind of a follow-up to “Monitoring for Sober.Y with Squid and swatch“, I figured I’d throw up this post about monitoring for Blackworm with swatch. [...]

]]>