Security Incidents mailing list archives
Re: cuebot-d infection method
From: Harlan Carvey <keydet89 () yahoo com>
Date: Sat, 27 Aug 2005 02:19:22 -0700 (PDT)
Jeff, Thanks for the response. However, it doesn't address the comment that Jayson made, re: post-mortem analysis. I'd still really like to know where to look, and what to look for... Thanks. --- Jeff Bryner <jbryner1 () yahoo com> wrote:
<harlan & jayson on where to look for post-mortem packet traces> Lacking full network packet logs, one thing I did during this one was look at flow data from our network infrastructure. <disclaimer>my flowdata knowledge is limited</disclaimer> This can be misleading, however because internal flow data will capture the outgoing attack packets that may get blocked later by a firewall. There also doesn't seem to be a one to one correspondence between the flow and what the firewall blocked outgoing. (i.e., the firewall records more blocks than the flow data shows ). Does someone with more flow-data/flow-tools experience know why this may be so? Jeff. P.S. Flow-tools example queries:
http://www.splintered.net/sw/flow-tools/docs/flow-tools-examples.html
------------------------------------------ Harlan Carvey, CISSP "Windows Forensics and Incident Recovery" http://www.windows-ir.com http://windowsir.blogspot.com ------------------------------------------
Current thread:
- cuebot-d infection method Jeff Bryner (Aug 24)
- RE: cuebot-d infection method Matthew Neeley (Aug 24)
- Re: cuebot-d infection method Matt Stockdale (Aug 24)
- Re: cuebot-d infection method Irwan Ismail (Aug 25)
- RE: cuebot-d infection method Jason Burton (Aug 25)
- Re: cuebot-d infection method Jayson Anderson (Aug 25)
- Re: cuebot-d infection method Harlan Carvey (Aug 26)
- Re: cuebot-d infection method Jeff Bryner (Aug 29)
- Re: cuebot-d infection method Harlan Carvey (Aug 29)
- Re: cuebot-d infection method Jayson Anderson (Aug 29)
- Re: cuebot-d infection method Jose Nazario (Aug 29)
- Re: cuebot-d infection method Irwan Ismail (Aug 25)
- Re: cuebot-d infection method Jeff Bryner (Aug 25)
- Re: cuebot-d infection method Simon Borduas (Aug 29)