How can you tell if malware is in your network?
As the PCRE post at Internet Storm Center says:
You can check your logfiles for certain signatures using “Perl Compatible Regular Expressions” (PCRE)
Perl is a scripting programming language perl.com gets into some of it’s details.
Of course that assumes you have a proxy server and it has your stream of web traffic.
Proxy server is a system that runs in between your client computers and the web server running on the Internet. It is an intermediary, which has rules and its own definition files that hopefully catch some of the malware. Above you see actually a reverse proxy server, which is handing the requests from clients to the web servers, this is not necessarily for security reasons, it may be to do some load balancing, to share the same IP and DNS name.
In standard proxy implementations the clients are in the network as the requests go to the Internet:
here is a picture of a basic proxy implementation:
so in a standard proxy implementation one can add a level of security since the proxy server can check the stream of network traffic between the web and the client.
we used to use Blue Coat in previous positions I had. Bluecoat’s Blog has several interesting posts about checking for specific traffic that could be an attack, or bad websites in general.
If you had an all-encompassing traffic knowledge one could say this traffic is dangerous and this is not. That is what Bluecoat tries to do https://www.virustotal.com/ is a great site which tells you if a file has known malware in it or not. (free service)