Security Incidents mailing list archives

Re: cuebot-d infection method

From: Jeff Bryner <jbryner1 () yahoo com>
Date: Fri, 26 Aug 2005 09:56:35 -0700 (PDT)

<harlan & jayson on where to look for post-mortem packet traces>

Lacking full network packet logs, one thing I did during this one was
look at flow data from our network infrastructure. 

<disclaimer>my flowdata knowledge is limited</disclaimer>

This can be misleading, however because internal flow data will capture
the outgoing attack packets that may get blocked later by a firewall.
There also doesn't seem to be a one to one correspondence between the
flow and what the firewall blocked outgoing. (i.e., the firewall
records more blocks than the flow data shows ). 

Does someone with more flow-data/flow-tools experience know why this
may be so? 

Jeff.
P.S. Flow-tools example queries: 
http://www.splintered.net/sw/flow-tools/docs/flow-tools-examples.html

Current thread:

cuebot-d infection method Jeff Bryner (Aug 24)
- RE: cuebot-d infection method Matthew Neeley (Aug 24)
- Re: cuebot-d infection method Matt Stockdale (Aug 24)
  - Re: cuebot-d infection method Irwan Ismail (Aug 25)
    - RE: cuebot-d infection method Jason Burton (Aug 25)
  - Re: cuebot-d infection method Jayson Anderson (Aug 25)
    - Re: cuebot-d infection method Harlan Carvey (Aug 26)
    - Re: cuebot-d infection method Jeff Bryner (Aug 29)
    - Re: cuebot-d infection method Harlan Carvey (Aug 29)
    - Re: cuebot-d infection method Jayson Anderson (Aug 29)
    - Re: cuebot-d infection method Jose Nazario (Aug 29)
- Re: cuebot-d infection method terry white (Aug 24)
  - Re: cuebot-d infection method Jeff Bryner (Aug 25)
- Re: cuebot-d infection method matt (Aug 29)
  - Re: cuebot-d infection method Simon Borduas (Aug 29)