Hello all, thanks for all that you do.
As a home user I’m not too concerned with being attacked (or should I be) but more concerned with viruses and the family clicking on ads on their smart phone free games… man! my wife’s coupon apps scare me.
I think I see how Suricata and pfblocker can block viruses but does it scan inbound files like coupon installers or torrents? How does it defend against embedded malicious code? I remember Tom saying in one of the videos that he uses Solarwinds anvirus at the end user level. I take it that means the firewall handles the bulk of it?
I think I’m getting it as I type it out lol. It does more than just scan the packer headers… hence the DEEP in DPI. Wait in order to scan a file, doesn’t it need all the packets for that file?? How does it know if there’s a virus attached if it doesn’t have all the pieces?
Let me stop, I’m starting to think out loud. I can’t help it. I love this stuff!!
Thanks, I appreciate your time. I’m excited to learn!!
@xmemex while neither Suricata or pfblocker are AV they do alert but function differently. I would recommend picking up a copy of " The Practice of Network Security MOnitoring" from No Starch Press. It covers Snort and Suricata and log files. Pfblocker works at the DNS level and depends on block lists of known sites dishing out malware, you can also add your own currated lists. Pf-Sense is what I use and recommend to my clients. Built my own box haven’t had any issues.
It’s not really all that effective against modern threats as most sites are encrypted which essentially blinds most inspection systems. This is why we focus on security at the endpoints where you can gain visibility into the traffic as that is where it is decoded.
Absolutely endpoints but the castle gate needs to be guarded. All my end points have the Linux FW configured in addition to pf-Sense. This is a subject worthy of its own category threat hunting, behaviour analysis. If anyone is interested I will post some references.
Very well explained, I have learned much!! Thanks.