Monitoring for Sober.Y with Squid and swatch

["Gaddis, Jeremy L." <jeremy () linuxwiz net>]

Here's an article I just wrote up real quick on how to monitor for 
Sober.Y HTTP activity (set to begin at midnight 06-Jan-2006) using the 
Squid proxy server and swatch.

Example configurations are provided.  These are the swatch config 
entries that I am using for monitoring Squid's access.log files for 
(some of?) the hosts that Sober.Y is known to utilize and send alerts to 
my e-mail and company pager.

I took the hosts from SANS' list on ISC.  If there are any hosts that 
I've missed, please do let me know.

The article can be found at http://www.jeremygaddis.com/

Thanks,
-j

--
Jeremy L. Gaddis, GCWN, Linux+, Network+
LinuxWiz Consulting
http://www.linuxwiz.net/

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------