Security Basics mailing list archives
Re: network worm
From: Kirk Schafer <infosec-capital () rainswept com>
Date: Fri, 17 Dec 2004 13:40:52 -0600
l c wrote:
Hi all, in the past days our network was stressed from a lot of network worm... <SNIP> The question is: "is there the possibility to setup an instrument (even linux based) to sniff the network traffic with capabilities to find worm?" <SNIP> Thanks a lot Luis
Luis,While I understand that you want some indentification capabilities, I also note that you said your antivirus software was not detecting worms itself. It seems like trying to identify the worms in a custom program would be like competing
with the antivirus vendors. In one project I worked on, we used a combination of Kiwi Syslog with two SonicWall firewalls set up to forward syslog messages to a syslog daemon. Further, we set up several network switches to do the same. Then, we wrotescripts that parsed the logs into a database and queried for certain disallowed activities. This was matched up against DHCP and WINS data from the firewalls,
switches, and domain controllers, which was further matched up against login events, MAC addresses, and other relevant data.The point of this description is that if you are asking to locate possible worms, the first thing that comes to my mind is a worm with SMTP. Assuming that checking personal email is disallowed at your site, other than your mail server(s) there should be no outgoing connections to ports 25, 110, or 995. Logging this activity allows fairly rapid assessment of trouble. By the same token, a network worm may scan your firewall or switches for shares, thus creating syslog entries for relevant ports (including the source IP, MAC address, and port), and raising suspicion. All of this can easily be automated, and if the relevant data is available over an Intranet or isolated security station, it's very effective. Instead of having to write extensive capture code, you just have to know how to handle data and write queries. You can always
capture traffic later.There are many uses for this kind of data collection, e.g., it's easy to find Instant Messengers. Blocking them these days can be a futile effort, because they cycle through hundreds, if not thousands of connection points to find a way out. By considering passive logging rather than active blocking, they have no need to hide and you can keep them off your network.
Best regards, Kirk -- ___________________________________________________ Kirk Schafer Infosec Capital - Your Information Security Asset 308 East Broadway Ave, PO Box 1851 Fairfield, IA 52556 641-919-1783 (mobile)
Current thread:
- network worm l c (Dec 08)
- RE: network worm Shawn Wall (Dec 09)
- RE: network worm Harshul Nayak (Dec 09)
- Re: network worm Brandon Glaze (Dec 10)
- Re: network worm Mario Pascucci (Dec 09)
- Re: network worm xyberpix (Dec 09)
- Re: network worm Kirk Schafer (Dec 17)
- <Possible follow-ups>
- RE: network worm Joe Cervantes (Dec 09)
- Re: network worm Steve Phipps (Dec 09)