From owner-freebsd-questions@FreeBSD.ORG Fri Nov 12 18:22:22 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EC86516A4CE for ; Fri, 12 Nov 2004 18:22:22 +0000 (GMT) Received: from mail.chrononomicon.com (chrononomicon.com [216.37.143.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id B3C7D43D2F for ; Fri, 12 Nov 2004 18:22:22 +0000 (GMT) (envelope-from bsilver@chrononomicon.com) Received: from [127.0.0.1] (unknown [192.168.0.42]) by mail.chrononomicon.com (Postfix) with ESMTP id 3461D1C7BBF; Fri, 12 Nov 2004 13:22:21 -0500 (EST) In-Reply-To: References: Mime-Version: 1.0 (Apple Message framework v619) Content-Type: text/plain; charset=ISO-8859-1; format=flowed Message-Id: Content-Transfer-Encoding: quoted-printable From: Bart Silverstrim Date: Fri, 12 Nov 2004 13:22:20 -0500 To: TM4526@aol.com X-Mailer: Apple Mail (2.619) cc: questions@freebsd.org Subject: Re: Squid+Privoxy or Snort? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Nov 2004 18:22:23 -0000 On Nov 12, 2004, at 12:48 PM, TM4526@aol.com wrote: > In a message dated 11/12/04 9:38:59 AM Eastern Standard Time,=20 > bsilver@chrononomicon.com writes: > > I'm trying to investigate some potential solutions to escape from > > different microsoft specific malware (like gator's software). > > The two mentioned in subject were found after some Google search. > > Wonder what are you guys using for this sort of problems. > > Thanks. > > >Squid can be used if you redirect all web traffic through the squid > >proxy; we have used squid with SquidGuard to block access to some > >gator-esque sites.=A0 If they get infected, they at least can't = phone > >home and we can see what IP's are trying to phone home so we can=20 > clean > >them up if it's a problem. > =A0 > The issue with proxies is that they are a drag on your network; using > squid as a firewall only isnt very smart. If you are already using it > fine. But on a large network you are better off using a firewall or=20 > some > sort of bandwidth management like the stuff on etinc.com. I thought his issue was more on finding internal systems having=20 problems and blocking the specific sites from getting hit. The proxy should speed up access if the same sites are being hit, as=20 well as provide a simple log file to grep through for hits to specific=20= sites. In US public schools, you're required to proxy things now=20 (filter websites), and you're right, it should not be used as a=20 firewall; it would only affect web traffic. Most of the spyware gunk=20 generates that kind of traffic, though, and known sites can be easily=20 blocked by adding the domain to SquidGuard's list. This only affects web malware, of course. For viruses, he'd be well=20 off to use a virus scanner at the head to act as a pre-mail filter on=20 incoming mail. We use a system that runs clamav and scans all incoming=20= mail, preventing users from getting the "click me!" type viruses in the=20= first place before it touches our internal mail server.