Our campus is using cisco routers. So we enable netflow and dump the output to another host running FreeBSD. (FreeBSD have netflow implementation using netgraph if you don't use cisco routers though we haven't tested using it).
The FreeBSD is actually our main gateway before going out to the Internet. Then, we wrote a script to detect flow counts to ports used by common worms/viruses and if its more than 100 at one time, we will save the IP address to a database. This scripts runs every 10 minutes using cron. The script will first delete all entries and insert the new IP addresses for every 10 minutes.
Then, we set the firewall running on the FreeBSD box to block all connection from the IP address and transparently route any http connection to our emergency response page. The page will notify the students that his/her PC is infected with a certain virus (based on the port it tries to connect to).
We only allow them to connect to Windows Update, Symantec website and our Emergency Response website. All other conections are blocked. We cache all the windows patches using our transparent proxy so that when they want to update their PC, they won't have to wait for several hours.
On our Emergency Response page, we provide free antivirus, the latest symantec antivirus pattern update, spybot and its updates and also dcombobulator. A short description of the suspected virus infecting their PCs is given on the website.
The emergency page also list out all the IP addresses of PC suspected to be infected with worms, the location in our campus (based on the VLANS), the number flow counts detected coming from the PC, the MAC address, the name of the PC (windows), and the user currently using the system. Some of the details, we got using netflow and others we got using nbtscan.
Every semester, the user will have to sign a document saying that his/her PC have an antivirus software installed and up-to-date.
We are planning to use snort to detect suspicious packets using snort's signatures and block the IP address detected.
We do receive complaints from students regarding this implentation where the students said that their PC is up-to-date and free from virus. But after further investigation, their PC was infected. It seems that they just assume that their PC are free from viruses without actually scan using antivirus.
Slashdot Mirror
I only managed to install it halfway through and then it hangs... *dang* Just when the time I wanted to try it on my system.
Our campus is using cisco routers. So we enable netflow and dump the output to another host running FreeBSD. (FreeBSD have netflow implementation using netgraph if you don't use cisco routers though we haven't tested using it).
The FreeBSD is actually our main gateway before going out to the Internet. Then, we wrote a script to detect flow counts to ports used by common worms/viruses and if its more than 100 at one time, we will save the IP address to a database. This scripts runs every 10 minutes using cron. The script will first delete all entries and insert the new IP addresses for every 10 minutes.
Then, we set the firewall running on the FreeBSD box to block all connection from the IP address and transparently route any http connection to our emergency response page. The page will notify the students that his/her PC is infected with a certain virus (based on the port it tries to connect to).
We only allow them to connect to Windows Update, Symantec website and our Emergency Response website. All other conections are blocked. We cache all the windows patches using our transparent proxy so that when they want to update their PC, they won't have to wait for several hours.
On our Emergency Response page, we provide free antivirus, the latest symantec antivirus pattern update, spybot and its updates and also dcombobulator. A short description of the suspected virus infecting their PCs is given on the website.
The emergency page also list out all the IP addresses of PC suspected to be infected with worms, the location in our campus (based on the VLANS), the number flow counts detected coming from the PC, the MAC address, the name of the PC (windows), and the user currently using the system. Some of the details, we got using netflow and others we got using nbtscan.
Every semester, the user will have to sign a document saying that his/her PC have an antivirus software installed and up-to-date.
We are planning to use snort to detect suspicious packets using snort's signatures and block the IP address detected.
We do receive complaints from students regarding this implentation where the students said that their PC is up-to-date and free from virus. But after further investigation, their PC was infected. It seems that they just assume that their PC are free from viruses without actually scan using antivirus.
I wonder what's the performance gain when using Intel compiler instead of gcc.
Even better if he subscribed to slashdot :)
Its not an Old Arab Proverb, its an excerpt from Hadith...