Worm attacks
Carter Bullard
carter at qosient.com
Mon Jul 23 23:52:05 EDT 2001
Hey David,
Did you get a chance to use ragrep() against
any argus data to do your URL searching?
Carter
Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York 10022
carter at qosient.com
Phone +1 212 588-9133
Fax +1 212 588-9134
http://qosient.com
> -----Original Message-----
> From: David Brumley [mailto:dbrumley at rtfm.stanford.edu]
> Sent: Monday, July 23, 2001 7:19 PM
> To: Carter Bullard
> Cc: Argus
> Subject: Re: Worm attacks
>
>
>
> > Gentle people,
> > Did any one catch any worm traffic this past week?
> > I'd love to see the first 64 bytes, if anyone has any
> > logs. I'm guessing that Argus would have been the only
> technology to
> > automatically audited worm traffic from the last wave.
>
> I don't have any argus logs, but I found that ngrep was
> especially helpful in identifying machines looking for the
> default.ida script.
>
> cheers,
> -david
> --
> #+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+
> --+#+--+#
> David Brumley - Stanford Computer Security - dbrumley at
> Stanford.EDU
> Phone: +1-650-723-2445 WWW:
> http://www.stanford.edu/~dbrumley
> Fax: +1-650-725-9121
> PGP: finger dbrumley-pgp at sunset.Stanford.EDU
> #+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+
> --+#+--+#
> Life is a whim of several billion cells to be you for a while.
>
More information about the argus
mailing list