Snort mailing list archives
Best detection of Worm
From: "Bristol, Gary L." <gbristol () ou edu>
Date: Thu, 16 Dec 2004 22:18:51 -0600
We seem to be seeing an infection of the WORM_RBOT.TO worm, by examination of the DNS logs, we'rd finding DNS lookups for the Site (gz.freetypers.us) that the worm then establishes an IRC connection too. What would be the best way to detect on this , an initial on the DNS lookup and then a positive on the IRC Connection? http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.TO&VSect=T <http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.TO&VSect=T> thanks
Current thread:
- Best detection of Worm Bristol, Gary L. (Dec 16)
- Re: Best detection of Worm Nick Hatch (Dec 16)
- HTTP_INSPECT Lucia Di Occhi (Dec 17)
- Re: HTTP_INSPECT Jeremy Hewlett (Dec 17)
- Message not available
- Re: HTTP_INSPECT Jeremy Hewlett (Dec 17)
- HTTP_INSPECT Lucia Di Occhi (Dec 17)
- Re: Best detection of Worm Nick Hatch (Dec 16)