Security Basics mailing list archives
Re: network worm
From: "xyberpix" <xyberpix () xyberpix com>
Date: Thu, 9 Dec 2004 10:12:30 -0000 (GMT)
It may be worth having a look into Snort(http://www.snort.org), I'm pretty sure this could be made to do what you want, and could even send off some alerts as well. Back when Code Red was still around I had this setup on one of our permitter boxes to do the same thing, and then send a mail to abuse@<domainnamehere>. Worked quite well. xyberpix On Wed, 8 December, 2004 10:24 pm, l c said:
Hi all, in the past days our network was stressed from a lot of network worm (not find from local antivirus, already up to date) with a stop of the traffic caused from a lots of arp request. The last one was the WORM_SDBOT.ACJ a worm that propagates itself using network shares and a worm that trend micro (up to date) was unable to find, causing the saturation of the network switches and the related stop of all the work. The question is: "is there the possibility to setup an instrument (even linux based) to sniff the network traffic with capabilities to find worm?". We have already a linux based tool for network monitoring, this tool is useful to isolate host with a lots of ARP request (typical of the worm), but this tool can't point us to which worm is doing the traffic. Thanks a lot Luis ___________________________________ Nuovo Yahoo! Messenger: E' molto piĆ¹ divertente: Audibles, Avatar, Webcam, Giochi, Rubrica� Scaricalo ora! http://it.messenger.yahoo.it
-- For security and Opensource news check out: http://xyberpix.demon.co.uk
Current thread:
- network worm l c (Dec 08)
- RE: network worm Shawn Wall (Dec 09)
- RE: network worm Harshul Nayak (Dec 09)
- Re: network worm Brandon Glaze (Dec 10)
- Re: network worm Mario Pascucci (Dec 09)
- Re: network worm xyberpix (Dec 09)
- Re: network worm Kirk Schafer (Dec 17)
- <Possible follow-ups>
- RE: network worm Joe Cervantes (Dec 09)
- Re: network worm Steve Phipps (Dec 09)