Re: Reverse http traffic revisited

[George Adamopoulos <zen32689 () zen co uk>]

On 18 Jan 2004 01:12:17 -0800
"Daniel H. Renner" <dan () losangelescomputerhelp com> wrote:

> ICMP PING CyberKit 2.2 Windows

This is how snort detects blaster's/nachi's attempts to ping an IP in order to check if it's alive, before trying to 
connect to port 80. Could be another variation of the blaster worm.I would check (Also snort may detect Cyberkit's 2.2 
packets as well, but i suppose that is something you would know of). If the packets are incoming, it is a normal thing 
that i witness in snort's logs as well very often. Actually, i have removed the rule from snort's rulesets, because it 
used to fill my logs with cyberkit attempts :P. If it is outgoing traffic, i would suggest that you should run trend's 
housecall (free online antivirus) on the windows servers/workstations of your network.

Also... gateway.dll is because of msn chat. If you add a deny acl for gateway.dll in your squid.conf, your workstations 
won't be able to use msn chat any more.

Giorgos Adamopoulos

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html