Re: malware and spam control



On 2009-11-21, buck <buck@xxxxxxxxxxx> wrote:
*SKIP*
The main problem is in distinguishing between normal vesus infected
activity. Can anyone give examples, perhaps using "recent" matches,
that drop malware but allow normal activity?

I think, you should look for overviews of currently running botnets.
*If* such overviews have detailed (to some degree) descriptions of this
particular botnet conduct then you have something to build your rules.
If there's no such description -- then trial-and-error.

Can it even be done?

I guess -- positive. I'm not sure if that's possible to implement such
logic within 'iptables' itself. However I have a successful experience
with implementing beeps on my router (when fw rejects a packet the
router beeps specially).

* configure iptables to log (look for 'LOG' target) packets of
interest
* configure syslogd (or whatever) to write in named pipe
* implement a logic-script that will issue apropriate commands
(those commands could be: reconfiguring fw, remote reboots,
DDoS, sending SMSes, whatever
* run the logic-script reading from the named pipe (beware IO
issues -- if there hasn't been a reader, than the first one
will get everything amassed in pipe, if there's no reader then
writer could eventually block, 'syslogd' needs 'klogd' to run
etc)

Is there A Better Way?

Yes. Windows Must Die!


--
Torvalds' goal for Linux is very simple: World Domination
Stallman's goal for GNU is even simpler: Freedom
.