Marti Martinez wrote:
The type of profile information you're describing sounds like stuff that snort is pretty good at identifying. As such, I'd suggest you look into snort's database of "attack" signatures and see if it provides a decent starting point for you.
Thanks Marti, but the issue is not really into detecting the various attacks really. Snort is great.
The issue is more when for example a computer have been compromise by an attack, and it's obvious that in turn it's attacking others in some cases. It can be block, but then identifying what the compromise situation really is, or how to tell customers what it might be and where to go to may be get it clean up, or provide their IT support person more details as to get this clean up is what I am really looking for if that even exists.
Let say for example you have a student that bring a compromise laptop and connect it to your LAN. You can see the attack and even block it if you chose to do so, but then after you beat him/here up (;> that person may not have been aware of the situation and asked how to clean it up other then the usual, wipe and reinstall your Windows computer.
And obviously this is assuming they were able to connect their laptop obviously, but assume they did for discussion sake.
Look here, these 5 possibility is what your compromise might be. And more informations is provided there as to how you might be successful in cleaning it up.
That's really what I am after and again assuming such things actually exists and is not obsolete in relevant informations.
The issue is not in detecting it, but what to do next and get more informations on it as well as possibly find out how to get it clean up.
You can use PF as much as possible to block attack from outside, but there is always sadly cases where it is introduce from inside and can be detected and block, but the issue of the clean up and getting informations on the case still exists.
I hope this explain it more. Best, Daniel
