RE: any other tool to detect worm?

["Taylor, David" <ltr () nursing upenn edu>]

You can always use TCPDUMP or WINDUMP to observe traffic.  If you are
needing to do this from a single PC with Windows you can download WINPCAP
and WINDUMP from http://netgroup-serv.polito.it/netgroup/tools.html. If you
have Linux you can use TCPDUMP which is installed by default on a lot of
platforms.

WINDUMP is a Win32 port of TCPDUMP so the command line is pretty much the
same.  You can pass these tools specific filters to watch certain traffic.
For instance, if you have a pc at home that does not offer services to other
computers on the Internet such as a web server, etc.  You can watch
unsolicited traffic and begin to see patterns.  I was using this when
blaster was born and knew right away there was a new worm.

So, if you want to watch traffic on your home pc you can: (read the manual
on how to get your adapter)

Windump -tnn tcp[13]==0x02 and dst host your.ip

This line above will give you all TCP connection requests heading TO your ip
address and has the SYN flag set which indicates a new connection request.

Hope that helps

-----Original Message-----
From: dcneting [mailto:ansiry () tm net my] 
Sent: Friday, April 30, 2004 8:20 PM
To: focus-virus () securityfocus com; honeypots () securityfocus com
Subject: any other tool to detect worm?

 

________________________________

From: dcneting [mailto:ansiry () tm net my] 
Sent: Saturday, May 01, 2004 8:18 AM
To: 'focus-virus () securityfocus com'
Subject: any other tool to detect worm?


is there any tools that i can use to just detect worm-like activity besides
that using honeyd? if there is, how can i use it to detect worms(known and
unknown) preferably open source platform.