[TriLUG] detecting outgoing worm attacks w/ linux firewall box?
Ryan Wheaton
ryan.wheaton at comcast.net
Wed Oct 15 11:31:33 EDT 2003
I imagine that it's probably welchia or blaster... try this on your
firewall box (or another box that sees a lot of traffic):
tcpdump -qn icmp and ip[40]=0xaa
will detect welchia traffic... if that gets you no where then check
out this link:
http://securityresponse.symantec.com/avcenter/venc/data/
detecting.traffic.due.to.rpc.worms.html
SNORT would help you out as well....
-r
On Wednesday, Oct 15, 2003, at 08:58 America/Denver, prhodes at vdsinc.com
wrote:
>
>
>
>
> Hi guys, I have a question for you security knowledgeable types.....
>
> Our ISP has contacted us and says that some machine on our network is
> sending
> out some sort of malicious attack, probably Code Red / Nimda / or
> something
> similar. Unfortunately, that's about all the info I have. The IP they
> gave us
> is the ip off the firewall box, which does NAT translation for
> everybody
> else.
>
> So, what I'm wondering is, is there anything I can do (probaby on the
> firewall box,
> which is Linux, BTW) to detect outgoing connections which look like
> worm
> attacks?
>
> Thanks,
>
> Phillip Rhodes
> Application Designer
> Voice Data Solutions
> 919-571-4300 x225
> prhodes at vdsinc.com
>
> Those who are willing to sacrifice essential liberties for a little
> order,
> will
> lose both and deserve neither. - Benjamin Franklin
>
> This country, with its institutions, belongs to the people who inhabit
> it.
>
> Whenever they shall grow weary of the existing government, they can
> exercise
> their constitutional right of amending it, or exercise their
> revolutionary
> right to overthrow it. - Abraham Lincoln
>
> No citizen shall be denied the right to bear arms, if as a last
> resort, to
> protect themselves from tyranny in Government. - Thomas Jefferson
>
> --
> TriLUG mailing list :
> http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
>
More information about the TriLUG
mailing list