Date: Fri, 12 Nov 2004 13:22:20 -0500 From: Bart Silverstrim <bsilver@chrononomicon.com> To: TM4526@aol.com Cc: questions@freebsd.org Subject: Re: Squid+Privoxy or Snort? Message-ID: <CA60166A-34D7-11D9-A4E4-000D9338770A@chrononomicon.com> In-Reply-To: <ff.65de15a.2ec6516f@aol.com> References: <ff.65de15a.2ec6516f@aol.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Nov 12, 2004, at 12:48 PM, TM4526@aol.com wrote: > In a message dated 11/12/04 9:38:59 AM Eastern Standard Time,=20 > bsilver@chrononomicon.com writes: > > I'm trying to investigate some potential solutions to escape from > > different microsoft specific malware (like gator's software). > > The two mentioned in subject were found after some Google search. > > Wonder what are you guys using for this sort of problems. > > Thanks. > > >Squid can be used if you redirect all web traffic through the squid > >proxy; we have used squid with SquidGuard to block access to some > >gator-esque sites.=A0 If they get infected, they at least can't = phone > >home and we can see what IP's are trying to phone home so we can=20 > clean > >them up if it's a problem. > =A0 > The issue with proxies is that they are a drag on your network; using > squid as a firewall only isnt very smart. If you are already using it > fine. But on a large network you are better off using a firewall or=20 > some > sort of bandwidth management like the stuff on etinc.com. I thought his issue was more on finding internal systems having=20 problems and blocking the specific sites from getting hit. The proxy should speed up access if the same sites are being hit, as=20 well as provide a simple log file to grep through for hits to specific=20= sites. In US public schools, you're required to proxy things now=20 (filter websites), and you're right, it should not be used as a=20 firewall; it would only affect web traffic. Most of the spyware gunk=20 generates that kind of traffic, though, and known sites can be easily=20 blocked by adding the domain to SquidGuard's list. This only affects web malware, of course. For viruses, he'd be well=20 off to use a virus scanner at the head to act as a pre-mail filter on=20 incoming mail. We use a system that runs clamav and scans all incoming=20= mail, preventing users from getting the "click me!" type viruses in the=20= first place before it touches our internal mail server.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA60166A-34D7-11D9-A4E4-000D9338770A>