Squid+Privoxy or Snort?

[Bart Silverstrim]

On Nov 12, 2004, at 12:48 PM, TM4526 at aol.com wrote:

> In a message dated 11/12/04 9:38:59 AM Eastern Standard Time, 
> bsilver at chrononomicon.com writes:
> > I'm trying to investigate some potential solutions to escape from
> > different microsoft specific malware (like gator's software).
> > The two mentioned in subject were found after some Google search.
> > Wonder what are you guys using for this sort of problems.
> > Thanks.
>
> >Squid can be used if you redirect all web traffic through the squid
>  >proxy; we have used squid with SquidGuard to block access to some
>  >gator-esque sites.  If they get infected, they at least can't phone
>  >home and we can see what IP's are trying to phone home so we can 
> clean
>  >them up if it's a problem.
>  
> The issue with proxies is that they are a drag on your network; using
> squid as a firewall only isnt very smart. If you are already using it
> fine. But on a large network you are better off using a firewall or 
> some
> sort of bandwidth management like the stuff on etinc.com.

I thought his issue was more on finding internal systems having 
problems and blocking the specific sites from getting hit.

The proxy should speed up access if the same sites are being hit, as 
well as provide a simple log file to grep through for hits to specific 
sites.  In US public schools, you're required to proxy things now 
(filter websites), and you're right, it should not be used as a 
firewall; it would only affect web traffic.  Most of the spyware gunk 
generates that kind of traffic, though, and known sites can be easily 
blocked by adding the domain to SquidGuard's list.

This only affects web malware, of course.  For viruses, he'd be well 
off to use a virus scanner at the head to act as a pre-mail filter on 
incoming mail.  We use a system that runs clamav and scans all incoming 
mail, preventing users from getting the "click me!" type viruses in the 
first place before it touches our internal mail server.