[CentOS] antivirus sniffer/scanner for networks

Tue Oct 10 16:15:54 UTC 2006
eric at austinconventioncenter.com <eric at austinconventioncenter.com>

> 	You need to Span/Mirror the traffic from your distribution
> switch(es) to an ethernet card appropriate for the size of traffic you
> see, 0-100mbps 100mbps ethernet, 100-1000 gigabit. And then run Snort
> with all of the plugins to look for malicious traffic. There aren't
> really network "virus" scanners so much as there are IDS detection
> programs which will detect the traffic signatures of the 'worm/malware'
> spreading software and alert you. As viruses are generally local host
> problems but the 'spreading' of them you CAN detect.
>
> HTH.
>
> -Drew
>
>
> -----Original Message-----
> From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On
> Behalf Of eric at austinconventioncenter.com
> Sent: Tuesday, October 10, 2006 11:39 AM
> To: centos at centos.org
> Subject: [CentOS] antivirus sniffer/scanner for networks
>
> Is anyone aware of a package that can detect viri on the network &
> possibly alert when there are?
>
> Here is the scenario:  Our network is utilized by guest users all the
> time, sometimes into the thousands. We see guests from all over with a
> variety of OSs & hardware, all of which, we have no control or say in
> that matter.
>
> I am looking for something that I can run in promiscuous mode and/or on
> a span port that will sniff for viri and then alert/log when it sees a
> virus. We can then track down the culprits' ip/mac and shut off the
> switch port he/she is connected to and then visit with the guest to help
> them clean their machine.
>
> Given the nature of our network and our guests' needs, an inline
> solution is not an option. Although, I recall that squid supports WCCP,
> I'm not sure that it would do what I am requesting. I also looked at
> snort+libclamav, but the info was inconclusive.
>
> We are a CentOs shop and I have a spare dual xeon box that I can use for
> the task.
>
> Thanks,
>
> Eric
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

Thanks, I will pursue the snort path then....