Full Disclosure mailing list archives
Re: Reverse http traffic revisited
From: George Adamopoulos <zen32689 () zen co uk>
Date: Mon, 19 Jan 2004 17:40:31 +0000
On 18 Jan 2004 01:12:17 -0800 "Daniel H. Renner" <dan () losangelescomputerhelp com> wrote:
ICMP PING CyberKit 2.2 Windows
This is how snort detects blaster's/nachi's attempts to ping an IP in order to check if it's alive, before trying to connect to port 80. Could be another variation of the blaster worm.I would check (Also snort may detect Cyberkit's 2.2 packets as well, but i suppose that is something you would know of). If the packets are incoming, it is a normal thing that i witness in snort's logs as well very often. Actually, i have removed the rule from snort's rulesets, because it used to fill my logs with cyberkit attempts :P. If it is outgoing traffic, i would suggest that you should run trend's housecall (free online antivirus) on the windows servers/workstations of your network. Also... gateway.dll is because of msn chat. If you add a deny acl for gateway.dll in your squid.conf, your workstations won't be able to use msn chat any more. Giorgos Adamopoulos _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Reverse http traffic revisited Daniel H. Renner (Jan 18)
- Re: Reverse http traffic revisited George Adamopoulos (Jan 19)