|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Repository of virus/worm propagation methods?
From: Russell Harding (hardingr
cunap.com)
Date: Wed Oct 01 2003 - 16:06:56 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello,
It seems nobody has answered the actual question posed by Alavan.
Yes, you can get a 'repository of virus/worm propagation methods'.
Snort, an open source Intrusion Detection System(IDS), has rules for many
different types of worm/virus network traffic signatures, and can often
tell you what virus/worm is the source of the network traffic you're
seeing.
Hope this helps,
-Russell
On Tue, 30 Sep 2003, Vinicius Moreira Mello wrote:
> Alavan,
>
> Are these continous or you got just once? I don't consider, at first,
> them as worms because 8/0 is icmp echo-reply, that comes(?) from your(?)
> network to the Internet. And the second are icmp destination-unreachable
> that also comes from your network to the Internet. Possibly, your
> machines are just replying worm "queries". And remember, you're an ISP,
> blocking icmp, mainly these two is not a good thing (if I were an user I
> wouldn't like).
>
> --
> Vinicius
>
>
> Alavan wrote:
> > Hello,
> >
> > Is there a site that lists how all these virus/worms replicate?
> > Specifically, as a SysAdmin of a small ISP I see patterns of traffic and
> > would like to be able to identify them to help the user clean their
> > machine. For instance, one user's machine is doing this:
> >
> > 09-28-2003 20:52:51 list 111 denied icmp 67.98.xxx.xxx
> > (FastEthernet0 0002.3f92.3fb4) -> 211.250.128.84 (8/0), 1 packet
> > 09-28-2003 20:52:50 list 111 denied icmp 67.98.xxx.xxx
> > (FastEthernet0 0002.3f92.3fb4) -> 218.14.178.79 (8/0), 1 packet
> > 09-28-2003 20:52:49 list 111 denied icmp 67.98.xxx.xxx
> > (FastEthernet0 0002.3f92.3fb4) -> 220.163.35.8 (8/0), 1 packet
> > 09-28-2003 20:52:47 list 111 denied icmp 67.98.xxx.xxx
> > (FastEthernet0 0002.3f92.3fb4) -> 210.41.241.164 (8/0), 1 packet
> > 09-28-2003 20:52:47 list 111 denied icmp 67.98.xxx.xxx
> > (FastEthernet0 0002.3f92.3fb4) -> 61.234.104.60 (8/0), 1 packet
> >
> > And yet another is doing this:
> >
> > 09-29-2003 09:29:14 list 111 denied icmp 67.98.xxx.xxx
> > (FastEthernet0 0050.bac6.e91a) -> 130.49.75.16 (3/3), 2 packets
> > 09-29-2003 09:29:10 list 111 denied icmp 67.98.xxx.xxx
> > (FastEthernet0 0050.bac6.e91a) -> 24.126.252.20 (3/3), 1 packet
> > 09-29-2003 09:29:05 list 111 denied icmp 67.98.xxx.xxx
> > (FastEthernet0 0050.bac6.e91a) -> 128.230.232.160 (3/3), 2 packets
> > 09-29-2003 09:29:01 list 111 denied icmp 67.98.xxx.xxx
> > (FastEthernet0 0050.bac6.e91a) -> 160.39.195.157 (3/3), 2 packets
> > 09-29-2003 09:28:58 list 111 denied icmp 67.98.xxx.xxx
> > (FastEthernet0 0050.bac6.e91a) -> 24.191.211.236 (3/3), 2 packets
> > 09-29-2003 09:28:52 list 111 denied icmp 67.98.xxx.xxx
> > (FastEthernet0 0050.bac6.e91a) -> 24.26.255.231 (3/3), 2 packets
>
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------
>
>
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]