I’ve spent a little while the last few days building a list of PacketShaper rules to identify spyware web activity based primarily on user agent strings that the spyware programs use. Seems to be doing the right thing and blocking those user agents, though I don’t have a handy spyware-infected box to test it with.
I put the blocked class on the outbound link only, and used the class criterion for HTTP traffic to identify matching user agent strings. I had to move this class above the “Services” class in order for this HTTP traffic to be classified here rather than in the general allowed HTTP traffic.
I have identified user agent strings by running Snort on BIFROST and using the bleeding-snort malware rulesets. Mostly this has caught MarketScore, but there have been a number of other ones falling into the pot as well.
Posted by Rowan Littell at November 8, 2005 11:19 AM