[TriLUG] detecting outgoing worm attacks w/ linux firewall box?

[Glen Ford]

prhodes at vdsinc.com wrote:

>
>
>Hi guys, I have a question for you security knowledgeable types.....
>
>Our ISP has contacted us and says that some machine on our network is
>sending
>out some sort of malicious attack, probably Code Red / Nimda / or something
>similar.  Unfortunately, that's about all the info I have.  The IP they
>gave us
>is the ip off the firewall box, which does NAT translation for everybody
>else.
>
>So, what I'm wondering is, is there anything I can do (probaby on the
>firewall box,
>which is Linux, BTW) to detect outgoing connections which look like worm
>attacks?
>
>Thanks,
>
>Phillip Rhodes
>Application Designer
>Voice Data Solutions
>919-571-4300 x225
>prhodes at vdsinc.com
>
>Those who are willing to sacrifice essential liberties for a little order,
>will
>lose both and deserve neither. - Benjamin Franklin
>
>This country, with its institutions, belongs to the people who inhabit it.
>
>Whenever they shall grow weary of the existing government, they can
>exercise
>their constitutional right of amending it, or exercise their revolutionary
>right to overthrow it.  - Abraham Lincoln
>
>No citizen shall be denied the right to bear arms, if as a last resort, to
>protect themselves from tyranny in Government. - Thomas Jefferson
>
>  
>
You could run SNORT and look for the code red signature. Or on a basic 
level you could log tcp port 137 traffic and then parse through your 
logs for host that appear to be walking a subnet. Also if you are 
currently running Iptables, it would be good to create reports of 
Iptable logs using fwlogwatch. This reports make it easier to spot anomilies

/glen





-- 
Glen Ford
gford at idiom.com