Security Incidents mailing list archives

Re: Novarg

From: James Riden <j.riden () massey ac nz>
Date: Thu, 29 Jan 2004 08:10:43 +1300

"Jonathan A. Zdziarski" <jonathan () nuclearelephant com> writes:

Finally a means of detection is helpful in spearheading the really daft
ones who don't read what you give them or pay attention in training. 
Setting up detection on port 25 outgoing and other suspicious ports can
tell you who went and opened the attachment.


Writing a perl script to grovel throught PIX logs looking for >5000
denies on 25/tcp outbound is trivial. (And you can pick up the
135-139/tcp outbound for Blaster and variants at the same time). But I
could probably share mine if anyone wants one.

Of course I'd prefer a good IDS signature, if available.

-- 
James Riden / j.riden () massey ac nz / Systems Security Engineer
GPG public key available at: http://www.massey.ac.nz/~jriden/
This post does not necessarily represent the views of my employer.


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Novarg sloppy seconds (Jan 28)
- Re: Novarg Jonathan A. Zdziarski (Jan 28)
  - Re: Novarg James Riden (Jan 28)
  - Re: Novarg Jim Zajkowski (Jan 28)
    - Re: Novarg Nick FitzGerald (Jan 29)
  - Re: Novarg Greg A. Woods (Jan 28)
    - Re: Novarg Jonathan A. Zdziarski (Jan 28)
    - best defense (was: Re: Novarg Meritt James (Jan 29)
    - Re: best defense (was: Re: Novarg Greg A. Woods (Jan 30)
    - Re: Novarg Matt Curtin (Jan 30)
  - Re: Novarg Matt Curtin (Jan 29)
- RE: Novarg - Stopping .Zip Files Tom Milliner (Jan 28)
  - Re: Novarg - Stopping .Zip Files Keith W. McCammon (Jan 28)

(Thread continues...)