Security Incidents mailing list archives
Re: Novarg
From: James Riden <j.riden () massey ac nz>
Date: Thu, 29 Jan 2004 08:10:43 +1300
"Jonathan A. Zdziarski" <jonathan () nuclearelephant com> writes:
Finally a means of detection is helpful in spearheading the really daft ones who don't read what you give them or pay attention in training. Setting up detection on port 25 outgoing and other suspicious ports can tell you who went and opened the attachment.
Writing a perl script to grovel throught PIX logs looking for >5000 denies on 25/tcp outbound is trivial. (And you can pick up the 135-139/tcp outbound for Blaster and variants at the same time). But I could probably share mine if anyone wants one. Of course I'd prefer a good IDS signature, if available. -- James Riden / j.riden () massey ac nz / Systems Security Engineer GPG public key available at: http://www.massey.ac.nz/~jriden/ This post does not necessarily represent the views of my employer. --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Novarg sloppy seconds (Jan 28)
- Re: Novarg Jonathan A. Zdziarski (Jan 28)
- Re: Novarg James Riden (Jan 28)
- Re: Novarg Jim Zajkowski (Jan 28)
- Re: Novarg Nick FitzGerald (Jan 29)
- Re: Novarg Greg A. Woods (Jan 28)
- Re: Novarg Jonathan A. Zdziarski (Jan 28)
- best defense (was: Re: Novarg Meritt James (Jan 29)
- Re: best defense (was: Re: Novarg Greg A. Woods (Jan 30)
- Re: Novarg Matt Curtin (Jan 30)
- Re: Novarg Matt Curtin (Jan 29)
- Re: Novarg Jonathan A. Zdziarski (Jan 28)
- RE: Novarg - Stopping .Zip Files Tom Milliner (Jan 28)
- Re: Novarg - Stopping .Zip Files Keith W. McCammon (Jan 28)