IT staffers at the University of Indiana put together a little cocktail to nab nasties using Snort, Amavisd and nmap (a brew which they dubbed “Shelob”, after the giant spider in Lord of the Rings).
Shelob integrates with the school’s own version of the open source NetReg application, which is used to register an unknown DHCP client before it’s granted full network access. When Shelob identifies an infected PC, NetReg assigns it a new IP address. Then, OpenVMPS (an open source version of Cisco’s VLAN Membership Policy Server) reassigns the port to which the PC is connected to a virtual LAN that contains only other infected computers.
Shelob then redirects the PC’s DNS lookup requests to a Web server, which then delivers a page that tells the end user about the infection and tells how to clean it. The same Web page can be used to distribute McAfee’s VirusScan, virus definition files and Windows updates or patches.
The PC is quarantined on the VLAN until the virus is killed or the spyware activity on the PC stops.
Good for them.