This is a two-part message. Well, first, I want to let everyone know
that I've put together a "Parasite Detection System" for Snort, which
allows admins and security personnel to identify the presence and
kinds of most common parasites (spyware, adware, DNS and browser
hijackers, some trojans like and including Qhosts, etc.) Needless to
say, this is critical to defend against data leakage, compromised
applications, identifying apps with lax security controls (i.e. IE
, and violations of company policy. There are two versions, the
"basic" and the "advanced". The Basic is a listing of IPs, and is very
fast, since it doesn't use content-matching. The Advanced is a bit
more sophisticated and can detect inbound threats, and also makes use
of FlexResp.

Here's the thing: the Basic version is fine and ready to go, so if you
want to find out what bad stuff is running on your network, go get it
and chekc bakc for updates every once in awhile.

The Advanced version still needs some testing, though. I set it up to
use FlexResp to kill connections-in-progress, but FlexResp is VERY
quirky. I really, really would like to offer the ability to terminate
malicious connections, but FlexResp doesn't seem all that reliable.
Anybody have any input or would like to test it?

Oh yeah, naturally, I've also updated the firewall rulesets and lists
-- pretty much everything is on there now. I hit the limit of the
number of rules Kerio will allow, so any modifications will be at the
expense of existing rules. The text file (blockips.txt) will continue
to grow. (As much as I wish it didn't need to...)

P.S. Direct comments to yosponge2@yahoo.com. My regular account is
full. Thanks.

Sponge
Sponge's Security Solutions
www.geocities.com/yosponge
Yes, I'm into alliteration...