Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: cuebot-d infection method

From: Harlan Carvey <keydet89 () yahoo com>
Date: Sat, 27 Aug 2005 02:19:22 -0700 (PDT)
Jeff,

Thanks for the response.  However, it doesn't address
the comment that Jayson made, re: post-mortem
analysis.  I'd still really like to know where to
look, and what to look for...

Thanks.

--- Jeff Bryner <jbryner1 () yahoo com> wrote:


<harlan & jayson on where to look for post-mortem
packet traces>

Lacking full network packet logs, one thing I did
during this one was
look at flow data from our network infrastructure. 

<disclaimer>my flowdata knowledge is
limited</disclaimer>

This can be misleading, however because internal
flow data will capture
the outgoing attack packets that may get blocked
later by a firewall.
There also doesn't seem to be a one to one
correspondence between the
flow and what the firewall blocked outgoing. (i.e.,
the firewall
records more blocks than the flow data shows ). 

Does someone with more flow-data/flow-tools
experience know why this
may be so? 

Jeff.
P.S. Flow-tools example queries: 


http://www.splintered.net/sw/flow-tools/docs/flow-tools-examples.html





------------------------------------------
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: