North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
RE: [Full-disclosure] what can be done with botnet C&C's?
On Thu, 17 Aug 2006, Jordan Medlen wrote: > > I'm sure most people on this list have heard of or use snort. There is an > add-on package called snortsam. This package allows automation of blocking > traffic deemed malicious via a null route statement or ACL statement. We > have been in the process over the last month of implementing this on our > network with much success. I think the only problem that we have had with it > thus far is underestimating just how well it was actually going to work. As > with any snort implementation, it takes time to tweak and tune the rule > sets, however we have managed to kill a huge amount of traffic either coming > from our customers or destined to our customers. While this is not a perfect > system, it is much better than idly sitting there and letting the abuse > continue. > > --- > Jordan Medlen > Chief Technology Officer and Architect > Sago Networks Is this the kind of thing that could get a boost from projects like ThreatNet (http://www.ali.as/threatnet/)? I've been peripherally involved with the project, mostly in chasing conceptual issues and hammering out the trust relationship details, in addition to being an rabid, er, avid developer of network management tools, right down to near-real time log analyzers. I think that if you're to a point that you trust your tools enough to make an informed decision and automate your null routes, why not expand on that and use the same networked intelligence the C&C's embody? - billn