Worm attacks

Carter Bullard carter at qosient.com
Mon Jul 23 09:56:16 EDT 2001


Hey John,
   I was interesed in specific Argus data, but thanks for
the offer.  I'm really interested in characterizing the
internal traffic after a server gets into trouble, rather
than the initial attack attempt.  How long from the initial
attack does the server start searching, is the address
range random or an incremental list, is the searching
preceded by any other traffic, like a piece of mail or
a UDP packet indicating success.  You know, that kind of
stuff.

   Is it because of your deployment strategy that makes
you think Argus would not do as well?  Does your firewall
log the traffic that it doesn't block?

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com



> -----Original Message-----
> From: Lauro, John [mailto:jlauro at umflint.edu] 
> Sent: Monday, July 23, 2001 9:39 AM
> To: carter at qosient.com; Argus
> Subject: RE: Worm attacks
> 
> 
> I don't log any portion of the data packets with argus.
> 
> However, our firewall generates nice logs...  If it is not 
> for a public web site (all of about 12 IPs out of 65k) on 
> port 80, it logs and accepts the connection and does a 
> redirect to a login page...  It creates a nice log of the IP 
> and more then just 64 bytes (>350) of the GET request...  I 
> suspect argus wouldn't do as well, as it would only catch 
> real web sites that are there to allow connections to port 80...
> 
> Let me know if you want my firewall logs (after GREPing out 
> just the default.ida...)  For reference, I had 22 worm 
> related entries last hour.
> 
> 
> > -----Original Message-----
> > From: Carter Bullard [mailto:carter at qosient.com]
> > Sent: Monday, July 23, 2001 9:22 AM
> > To: Argus
> > Subject: Worm attacks
> > 
> > 
> > Gentle people,
> >    Did any one catch any worm traffic this past week?
> > I'd love to see the first 64 bytes, if anyone has any
> > logs.  I'm guessing that Argus would have been the only 
> technology to 
> > automatically audited worm traffic from the last wave.
> > 
> > Carter
> > 
> > Carter Bullard
> > QoSient, LLC
> > 300 E. 56th Street, Suite 18K
> > New York, New York  10022
> > 
> > carter at qosient.com
> > Phone +1 212 588-9133
> > Fax   +1 212 588-9134
> > http://qosient.com
> > 
> > 
> 



More information about the argus mailing list