nanog mailing list archives

Previous By Date Next
Previous By Thread Next

How to find the first occurrance of the worm.

From: "Ray Burkholder" <ray () oneunified net>
Date: Sat, 25 Jan 2003 16:13:00 -0500



Ray Burkholder


-----Original Message-----
From: McDonald, Dan [mailto:Dan.McDonald () austinenergy com] 
Sent: January 25, 2003 17:05
To: 'flow-tools () splintered net'
Subject: [flow-tools] w32.sqlexp.worm


In case anyone needs it, here is the flow-tools nfilter that I've found
to
match the worm that hit us...

filter-primitive mssql
  type ip-port
  permit 1434
  default deny

filter-primitive wormsize
   type counter
   permit eq 404
   default deny

filter theworm
   match src-ip-port mssql
   match octets wormsize

that with a flow-print -f 5 gave me the time of the first infection...

Daniel J McDonald, CCIE #2495, CNX
Lan/Wan Integrator
Austin Energy
1.512.322.6739
dan.mcdonald () austinenergy com

_______________________________________________
flow-tools () splintered net
http://www.splintered.net/sw/flow-tools
Previous By Date Next
Previous By Thread Next

Current thread: