Home page logo
/

basics logo Security Basics mailing list archives

Re: network worm
From: "Brandon Glaze" <bglaze () northstar k12 ak us>
Date: Fri, 10 Dec 2004 08:35:06 -0900


I am not sure if you have been answered yet, but when my network was hit with the same FBOT worm (as Kaspersky called it) I implemented honeyd as a quick linux script which uses Doug Songs ArpD to arp poison your switch and give you the ability to have one machine answer on behalf of an entire subnet. The quick config files that come with honeyd are usually enough to emulate several key types of vulnerable machines. Just tail -f the /var/log/honeyd file and any connections to this box are invalid. I also implemented the no ip unreachables on all of my Cisco switches so that the routers were not bogged down trying to answer on behalf of all the infected clients request for non existant network pings. Hope that helps...

On Thu, 9 Dec 2004 09:13:30 +0530
 "Harshul Nayak" <harshul.nayak () patni com> wrote:
Hello luis,
running an IDS and monitoring it's logs should be a useful deployment , if
you still feel the threat of malicious traffic on your network.
I would even suggest having a look into latest snort-inline ;) u can do a
lot more than mere monitoring.

-regs
Harshul


-----Original Message-----
From: l c [mailto:neo_italy02 () yahoo it]
Sent: Thursday, December 09, 2004 3:55 AM
To: security-basics () securityfocus com
Subject: network worm


Hi all,
in the past days our network was stressed from a lot
of network worm (not find from local antivirus,
already up to date) with a stop of the traffic caused
from a lots of arp request. The last one was the
WORM_SDBOT.ACJ a worm that propagates itself using
network shares and a worm that trend micro (up to
date) was unable to find, causing the saturation of
the network switches and the related stop of all the
work. The question is: "is there the possibility to
setup an instrument (even linux based) to sniff the
network traffic with capabilities to find worm?". We
have already a linux based tool for network
monitoring, this tool is useful to isolate host with a
lots of ARP request (typical of the worm), but this
tool can't point us to which worm is doing the
traffic.

Thanks a lot
Luis



___________________________________
Nuovo Yahoo! Messenger: E' molto più divertente: Audibles, Avatar, Webcam,
Giochi, Rubrica… Scaricalo ora!
http://it.messenger.yahoo.it


http://www.patni.com
World-Wide Partnerships. World-Class Solutions.
_____________________________________________________________________

This e-mail message may contain proprietary, confidential or legally
privileged information for the sole use of the person or entity to
whom this message was originally addressed. Any review, e-transmission
dissemination or other use of or taking of any action in reliance upon
this information by persons or entities other than the intended
recipient is prohibited. If you have received this e-mail in error
kindly delete  this e-mail from your records. If it appears that this
mail has been forwarded to you without proper authority, please notify
us immediately at netadmin () patni com and delete this mail. _____________________________________________________________________


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault