From owner-freebsd-questions@FreeBSD.ORG  Fri Nov 12 14:38:19 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 870AB16A4CE
	for <freebsd-questions@freebsd.org>;
	Fri, 12 Nov 2004 14:38:19 +0000 (GMT)
Received: from mail.chrononomicon.com (chrononomicon.com [216.37.143.27])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0334043D1D
	for <freebsd-questions@freebsd.org>;
	Fri, 12 Nov 2004 14:38:19 +0000 (GMT)
	(envelope-from bsilver@chrononomicon.com)
Received: from [127.0.0.1] (unknown [192.168.0.42])
	by mail.chrononomicon.com (Postfix) with ESMTP id 9348B1C787A
	for <freebsd-questions@freebsd.org>;
	Fri, 12 Nov 2004 09:38:17 -0500 (EST)
Mime-Version: 1.0 (Apple Message framework v619)
In-Reply-To: <20041112133709.57188.qmail@web53210.mail.yahoo.com>
References: <20041112133709.57188.qmail@web53210.mail.yahoo.com>
Content-Type: text/plain; charset=US-ASCII; format=flowed
Message-Id: <7D4BAEA6-34B8-11D9-9BE5-000D9338770A@chrononomicon.com>
Content-Transfer-Encoding: 7bit
From: Bart Silverstrim <bsilver@chrononomicon.com>
Date: Fri, 12 Nov 2004 09:38:16 -0500
To: FreeBSD Question List <freebsd-questions@freebsd.org>
X-Mailer: Apple Mail (2.619)
Subject: Re: Squid+Privoxy or Snort?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Nov 2004 14:38:19 -0000


On Nov 12, 2004, at 8:37 AM, Cristian Salan wrote:

> Hello,
>
> I'm trying to investigate some potential solutions to escape from
> different microsoft specific malware (like gator's software).
> The two mentioned in subject were found after some Google search.
> Wonder what are you guys using for this sort of problems.
> Thanks.

Squid can be used if you redirect all web traffic through the squid 
proxy; we have used squid with SquidGuard to block access to some 
gator-esque sites.  If they get infected, they at least can't phone 
home and we can see what IP's are trying to phone home so we can clean 
them up if it's a problem.

Unless the malware is spraying traffic over a broadcast or scanning 
your subnets, I'm not sure if snort would really help that much, since 
most gator-like stuff tends to be targeted in what it contacts (browse 
to website, junk installed, phones home data...)

-Bart