[CentOS] antivirus sniffer/scanner for networks

Tue Oct 10 16:34:49 UTC 2006
Drew Weaver <drew.weaver at thenap.com>

	You need to Span/Mirror the traffic from your distribution
switch(es) to an ethernet card appropriate for the size of traffic you
see, 0-100mbps 100mbps ethernet, 100-1000 gigabit. And then run Snort
with all of the plugins to look for malicious traffic. There aren't
really network "virus" scanners so much as there are IDS detection
programs which will detect the traffic signatures of the 'worm/malware'
spreading software and alert you. As viruses are generally local host
problems but the 'spreading' of them you CAN detect.



-----Original Message-----
From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On
Behalf Of eric at austinconventioncenter.com
Sent: Tuesday, October 10, 2006 11:39 AM
To: centos at centos.org
Subject: [CentOS] antivirus sniffer/scanner for networks

Is anyone aware of a package that can detect viri on the network &
possibly alert when there are?

Here is the scenario:  Our network is utilized by guest users all the
time, sometimes into the thousands. We see guests from all over with a
variety of OSs & hardware, all of which, we have no control or say in
that matter.

I am looking for something that I can run in promiscuous mode and/or on
a span port that will sniff for viri and then alert/log when it sees a
virus. We can then track down the culprits' ip/mac and shut off the
switch port he/she is connected to and then visit with the guest to help
them clean their machine.

Given the nature of our network and our guests' needs, an inline
solution is not an option. Although, I recall that squid supports WCCP,
I'm not sure that it would do what I am requesting. I also looked at
snort+libclamav, but the info was inconclusive.

We are a CentOs shop and I have a spare dual xeon box that I can use for
the task.


CentOS mailing list
CentOS at centos.org