Menu
▾
▴
Re: [Snort-inline-users] Snort_inline and POP3 loop
|
From: Eric S. <eri...@uo...> - 2005-08-01 19:12:03
|
> I don't think you should be using snort+clam or snort rules in general > to filter out malicous attachments in mail. There far better > solutions for this that live on your mail gateway. If you want to use > Clam against your mail server take a look at the clamav-milter. I understand. In fact I'm trying to reproduce here the same approach used= by Sonicwall GAV solution. I'm doing some tests with my own libipq "modu= le" trying to catch virus "inline" in each packet. I already know that there's a lot of problems with this aproach like zip,= virus splited, etc. But the idea would be reduce the amount of malware b= efore they hit the internal network, email gateways, etc. Since it's basicaly the same idea of snort-inline I thought that maybe we= could exchange some experiences. Like, what if instead of store username= /pass, etc we just store the msg number, try to "spoof" the connection an= d send the DELE <num>, all of this changing the headers + payload. Anybod= y have any comment? Please, as I said, these are just ideas, feel free to= say if they are too much stupid. ;-) []s Eric Scopinho |
