Full Disclosure mailing list archives
Re: BlackWorm technical information
From: Mike Owen <kyphros () gmail com>
Date: Tue, 24 Jan 2006 12:11:16 -0800
On 1/24/06, Valdis.Kletnieks () vt edu <Valdis.Kletnieks () vt edu> wrote:
The *interesting* question is whether it's possible to use this to count the *actual* number of affected machines by excluding all the rubberneckers that are visiting the page and hitting "refresh" to see the numbers go up. Maybe by looking at the Referer or User-Agent values?
That's what the Snort rule looks for, a connection to that page without a Referer: tag. Not perfect, but it works well enough. Mike _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- BlackWorm technical information Gadi Evron (Jan 24)
- Re: BlackWorm technical information ad () heapoverflow com (Jan 24)
- Re: BlackWorm technical information redsand (Jan 24)
- Re: BlackWorm technical information Valdis . Kletnieks (Jan 24)
- Re: BlackWorm technical information Mike Owen (Jan 24)
- Re: BlackWorm technical information ad () heapoverflow com (Jan 24)