Security Incidents mailing list archives
Re: cuebot-d infection method
From: Jeff Bryner <jbryner1 () yahoo com>
Date: Fri, 26 Aug 2005 09:56:35 -0700 (PDT)
<harlan & jayson on where to look for post-mortem packet traces> Lacking full network packet logs, one thing I did during this one was look at flow data from our network infrastructure. <disclaimer>my flowdata knowledge is limited</disclaimer> This can be misleading, however because internal flow data will capture the outgoing attack packets that may get blocked later by a firewall. There also doesn't seem to be a one to one correspondence between the flow and what the firewall blocked outgoing. (i.e., the firewall records more blocks than the flow data shows ). Does someone with more flow-data/flow-tools experience know why this may be so? Jeff. P.S. Flow-tools example queries: http://www.splintered.net/sw/flow-tools/docs/flow-tools-examples.html
Current thread:
- cuebot-d infection method Jeff Bryner (Aug 24)
- RE: cuebot-d infection method Matthew Neeley (Aug 24)
- Re: cuebot-d infection method Matt Stockdale (Aug 24)
- Re: cuebot-d infection method Irwan Ismail (Aug 25)
- RE: cuebot-d infection method Jason Burton (Aug 25)
- Re: cuebot-d infection method Jayson Anderson (Aug 25)
- Re: cuebot-d infection method Harlan Carvey (Aug 26)
- Re: cuebot-d infection method Jeff Bryner (Aug 29)
- Re: cuebot-d infection method Harlan Carvey (Aug 29)
- Re: cuebot-d infection method Jayson Anderson (Aug 29)
- Re: cuebot-d infection method Jose Nazario (Aug 29)
- Re: cuebot-d infection method Irwan Ismail (Aug 25)
- Re: cuebot-d infection method Jeff Bryner (Aug 25)
- Re: cuebot-d infection method Simon Borduas (Aug 29)