Simon Lyall
On Thu, 24 Feb 2005, Juha Saarinen wrote:
On a more serious note, if wormy traffic of various kinds could be fingerprinted with a reasonable degree of accuracy, it could be useful.
There are papers out there on this, it's not that hard ( grep "MX" in the query logs for your DNS servers for a start) especially if you have spent the big bucks to log all the customer's traffic already.
Most worms - both email-borne and the Sasser/Korgo/Welchia types - make snort light up like a Christmas tree. As you say, it's not hard to find infected machines.
The hard bit is doing something with the list of customers once you have identified them.
Disconnection works for me, but we're not exactly an ISP. The other option I suppose is to drop the user into some sort of quarantine area where they can obtain antivirus and OS updates and can't touch anything else. -- James Riden / j.riden(a)massey.ac.nz / Systems Security Engineer Information Technology Services, Massey University, NZ. GPG public key available at: http://www.massey.ac.nz/~jriden/