mailing list archives
Re: network worm
From: Kirk Schafer <infosec-capital () rainswept com>
Date: Fri, 17 Dec 2004 13:40:52 -0600
l c wrote:
in the past days our network was stressed from a lot
of network worm... <SNIP>
The question is: "is there the possibility to setup an
instrument (even linux based) to sniff the
network traffic with capabilities to find worm?"
Thanks a lot
While I understand that you want some indentification capabilities, I
that you said your antivirus software was not detecting worms itself. It
like trying to identify the worms in a custom program would be like
with the antivirus vendors.
In one project I worked on, we used a combination of Kiwi Syslog with two
SonicWall firewalls set up to forward syslog messages to a syslog daemon.
Further, we set up several network switches to do the same. Then, we wrote
scripts that parsed the logs into a database and queried for certain
activities. This was matched up against DHCP and WINS data from the
switches, and domain controllers, which was further matched up against login
events, MAC addresses, and other relevant data.
The point of this description is that if you are asking to locate
the first thing that comes to my mind is a worm with SMTP. Assuming that
personal email is disallowed at your site, other than your mail
server(s) there should
be no outgoing connections to ports 25, 110, or 995. Logging this
fairly rapid assessment of trouble. By the same token, a network worm
your firewall or switches for shares, thus creating syslog entries for
(including the source IP, MAC address, and port), and raising suspicion.
All of this
can easily be automated, and if the relevant data is available over an
isolated security station, it's very effective. Instead of having to
write extensive capture
code, you just have to know how to handle data and write queries. You
capture traffic later.
There are many uses for this kind of data collection, e.g., it's easy to
find Instant Messengers.
Blocking them these days can be a futile effort, because they cycle
if not thousands of connection points to find a way out. By considering
passive logging rather
than active blocking, they have no need to hide and you can keep them
off your network.
Infosec Capital - Your Information Security Asset
308 East Broadway Ave, PO Box 1851
Fairfield, IA 52556