Novell iFolder Open Source Project

Novell iFolder 开源了，将从 3 系列开始，iFolder1、iFolder2 是 Novell 早期产品，和现在开源的 iFolder3 并不兼容，目前只是一个 Server ，client 估计还需要等等。技术上基于 Mono/.NET，Novell 已经使用 Mono 进行企业开发，包括早先开源的 Hula，都会有一个 beagle 的 search 后端。RoadMap 上说将会考虑集成 bookmark，blog，wiki，f-spot，Calendars，gaim。Hula plus iFolder 稳定之后在开源群件这一块应该是无敌了，can't wait! Novell 最近的一系列走向表明是一路 OpenSource 下去了，为他个喝彩。 不知道 iFolder 是甚么东东？ Novell 的介绍。

virus and worms detection

Javier say:

First things first, Snort is an Intrusion Detection System, so it's more targeted towards finding attacks in the network targeted against internal systems. However, Snort does provide rules for common virus signatures (transmitted through e-mail, by inspecting the SMTP traffic) and worms (by detecting their activity on the network). Notice, however, that if you want to detect new worms you should not rely on the Snort rules provided in the current stable release, as they are quite out of date.  You can download updated rules from snort.org. You might want to update it too using a backported package of a newer version than the one in stable [1]
A separate method for detecting worms in your network is to prove the systems you manage using a vulnerability assesment tool. You can use Nessus for that (provided in Debian). Again, make sure that you use an updated version (not the one from stable, backports are available [2])
Nessus provides some plugins to test for installed backdoors, trojans and known worms. However, a Nessus scan is quite intrusive (it might even kill some systems) so you should approach that possibility with care. You can update your Nessus server with new attack plugins using 'nessus-update-plugins'
A third way to do what you propose (detect trojans, worms, etc.) is to do statistical analysis of the traffic generated by your clients and the amount of traffic (bandwith usage). That kind of analysis can enable to nail down some nasty clients. Sometimes you need to go down to the physical level (i.e. to the switches to obtain port statistics) since some worms might be doing TCP/IP spoofing (IIRC Slammer did this). In order to do statistical analysis it is usually good to keep up with Internet trends,
something you can do visiting the "Internet Storm Center" [3]. Some traffic (like constant outgoing traffic to port 135 against random or consecutive IP addresses) is usually an indicative of a worm spreading. Again, tools to do this include ntop, iptraf, darkstat (for statistical analysis) and ethereal, tcpdump, sniff, ettercap, nwatch adn sniffit (amongst others)
Finally, since many of the virus nowadays are mass-mailing, it might be worth analysing the amount of outbound e-mail sent by internal clients. Even if you do not add an antivirus tool to your outgoing SMTP relay server (some av mail-server tools have already been commented on the replies you got) analysis of the amount of traffic might be sufficient to pin-point virus activity. There are a number of tools to generate that data, based on what you use as input (firewall logs, mail server logs...)
Hmmm... I've rambled for enough time... Happy hunting! :-)
Javier
[1] The maintainer provided backports for 2.0.1-3 which are available at
http://people.debian.org/~ssmeenk/snort-stable-i386/ (I've tested those). I also made a backport (2.0.6-1) which I have testd also and can be retrieved from http://people.debian.org/~jfs/snort/ Finally, you can find packages for 2.1.0 (I don't have experience on these) at  http://www.backports.org/debian/dists/stable/snort/binary-i386/
[2] Official backports available at http://people.debian.org/~jfs/nessus
[3] http://isc.incidents.org/

great explaination for me!