So wondering what’s the best way to go about blocking something like SEO Spam injection scripts from being able to run on my computers. I have pfBlocker running with a bunch of lists and Suricata running in reporting mode, and when I go to a site I know that’s been compromised with HTML.Injection.SEO-SPAM, I don’t see it in any logs or anywhere.
So, what would be the best way to protect my network and the users, namely wife and kids, from these types of exploits? I know there’s a lot of crap out there using the same drive-by technique of like what I already mentioned.
I will fully admit I don’t really have a good grasp on Suricata, which is why it’s in report mode, so wondering if it would even catch this stuff or not.
TIA
The actual SEO Spam injection attack would be against a webserver. If you’re running a publicly accessible webserver, the proper protection against that may be a WAF (Web Application Firewall). Suricata may be able to protect against that if there’s a ruleset with it, although really you’re asking about blocking every type of content injection possible. However the inspection needs to be done at a point where HTTPS is decrypted, meaning you wouldn’t be able to do it in PFSense unless you were also using PFSense to do the TLS instead of on your webserver. Personally I’d recommend Cloudflare and making it so the internet can only get to your webserver through them.
If you aren’t running a webserver, your concern isn’t an SEO Spam Injection. Your concern is generally preventing their devices from becoming part of a botnet. Security software on the end user devices is the main protection against this, alongside user training.
It feels he’s interested in protecting his family from browsing websites affected by spam injection, e.g. blocking the scripts triggered from visiting those sites.
I’m thinking those scripts being injected are quite similar functionally to scripts that trigger ad injections in web pages. Something that filters those, such as PiHole for a network wide protection, or uBlock Origin browser addon for end user device protection, might work in your case too @jlw though probably with a bit of config tweaking to block what you’re interested in.