Home page logo

basics logo Security Basics mailing list archives

Re: network worm
From: Kirk Schafer <infosec-capital () rainswept com>
Date: Fri, 17 Dec 2004 13:40:52 -0600

l c wrote:

Hi all,
in the past days our network was stressed from a lot
of network worm... <SNIP>

The question is: "is there the possibility to setup an
instrument (even linux based) to sniff the
network traffic with capabilities to find worm?"

Thanks a lot

While I understand that you want some indentification capabilities, I also note that you said your antivirus software was not detecting worms itself. It seems like trying to identify the worms in a custom program would be like competing
with the antivirus vendors.

In one project I worked on, we used a combination of Kiwi Syslog with two
SonicWall firewalls set up to forward syslog messages to a syslog daemon.
Further, we set up several network switches to do the same. Then, we wrote
scripts that parsed the logs into a database and queried for certain disallowed activities. This was matched up against DHCP and WINS data from the firewalls,
switches, and domain controllers, which was further matched up against login
events, MAC addresses, and other relevant data.

The point of this description is that if you are asking to locate possible worms, the first thing that comes to my mind is a worm with SMTP. Assuming that checking personal email is disallowed at your site, other than your mail server(s) there should be no outgoing connections to ports 25, 110, or 995. Logging this activity allows fairly rapid assessment of trouble. By the same token, a network worm may scan your firewall or switches for shares, thus creating syslog entries for relevant ports (including the source IP, MAC address, and port), and raising suspicion. All of this can easily be automated, and if the relevant data is available over an Intranet or isolated security station, it's very effective. Instead of having to write extensive capture code, you just have to know how to handle data and write queries. You can always
capture traffic later.

There are many uses for this kind of data collection, e.g., it's easy to find Instant Messengers. Blocking them these days can be a futile effort, because they cycle through hundreds, if not thousands of connection points to find a way out. By considering passive logging rather than active blocking, they have no need to hide and you can keep them off your network.

Best regards,

Kirk Schafer

Infosec Capital - Your Information Security Asset
308 East Broadway Ave, PO Box 1851
Fairfield, IA 52556
641-919-1783 (mobile)

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]