Re: network worm

[Steve Phipps <steve.phipps () gmail com>]

One quick and easy solution for Snort (to see if it will work for you)
is to try out the Knoppix-STD live cd. Boot this guy up from the CD or
ISO and you are up and running. Lots and lots of tools.
                Steve

http://www.knoppix-std.org/




-----Original Message-----
From: xyberpix [mailto:xyberpix () xyberpix com] 
Sent: Thursday, December 09, 2004 2:13 AM
To: l c
Cc: security-basics () securityfocus com
Subject: Re: network worm

It may be worth having a look into Snort(http://www.snort.org), I'm pretty
sure this could be made to do what you want, and could even send off some
alerts as well.
Back when Code Red was still around I had this setup on one of our
permitter boxes to do the same thing, and then send a mail to
abuse@<domainnamehere>. Worked quite well.

xyberpix

On Wed, 8 December, 2004 10:24 pm, l c said:
> Hi all,
> in the past days our network was stressed from a lot
> of network worm (not find from local antivirus,
> already up to date) with a stop of the traffic caused
> from a lots of arp request. The last one was the
> WORM_SDBOT.ACJ a worm that propagates itself using
> network shares and a worm that trend micro (up to
> date) was unable to find, causing the saturation of
> the network switches and the related stop of all the
> work. The question is: "is there the possibility to
> setup an instrument (even linux based) to sniff the
> network traffic with capabilities to find worm?". We
> have already a linux based tool for network
> monitoring, this tool is useful to isolate host with a
> lots of ARP request (typical of the worm), but this
> tool can't point us to which worm is doing the
> traffic.
>
> Thanks a lot
> Luis
>
>
>
> ___________________________________
> Nuovo Yahoo! Messenger: E' molto più divertente: Audibles, Avatar, Webcam,
> Giochi, Rubrica&#65533; Scaricalo ora!
> http://it.messenger.yahoo.it


-- 
For security and Opensource news check out:
http://xyberpix.demon.co.uk