Blocking Malware at the Border

/*
Blocking Malware at the Border:

I'm about to configure an outbound HTTP filter on my network to block drive-by-malware installs. While most of my systems are not vulnerable to these types of attacks, the extra layer of security is always a good idea.

In an article entitled Botnet malware defense on isc.sans.org, they provide several links to updated lists of malware-hosting domains.

One of the links is to a site called www.malwaredomains.com. Using their updated "domains.txt" list, it's fairly simple to parse into something that Squid will understand.

# wget http://www.malwaredomains.com/files/domains.txt
# egrep -v '^$|^#' domains.txt | awk '{print $1}' | sort > sorted.txt

Using the sorted.txt list, you can configure Squid or similar to block access to these domains at layer 7. That way, if DNS changes, such as in a "fast flux network", you will still be protected.
*/