Worm attacks
David Brumley
dbrumley at rtfm.stanford.edu
Tue Jul 24 15:18:25 EDT 2001
> Hey David,
> Did you get a chance to use ragrep() against
> any argus data to do your URL searching?
>
no, but I'll try that in the future. I still need to upgrade to argus
2.0 on our production server. I've been hesitant because that means
rewriting some scripts.
>
> > -----Original Message-----
> > From: David Brumley [mailto:dbrumley at rtfm.stanford.edu]
> > Sent: Monday, July 23, 2001 7:19 PM
> > To: Carter Bullard
> > Cc: Argus
> > Subject: Re: Worm attacks
> >
> >
> >
> > > Gentle people,
> > > Did any one catch any worm traffic this past week?
> > > I'd love to see the first 64 bytes, if anyone has any
> > > logs. I'm guessing that Argus would have been the only
> > technology to
> > > automatically audited worm traffic from the last wave.
> >
> > I don't have any argus logs, but I found that ngrep was
> > especially helpful in identifying machines looking for the
> > default.ida script.
> >
> > cheers,
> > -david
> > --
> > #+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+
> > --+#+--+#
> > David Brumley - Stanford Computer Security - dbrumley at
> > Stanford.EDU
> > Phone: +1-650-723-2445 WWW:
> > http://www.stanford.edu/~dbrumley
> > Fax: +1-650-725-9121
> > PGP: finger dbrumley-pgp at sunset.Stanford.EDU
> > #+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+
> > --+#+--+#
> > Life is a whim of several billion cells to be you for a while.
> >
>
--
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
David Brumley - Stanford Computer Security - dbrumley at Stanford.EDU
Phone: +1-650-723-2445 WWW: http://www.stanford.edu/~dbrumley
Fax: +1-650-725-9121 PGP: finger dbrumley-pgp at sunset.Stanford.EDU
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
Life is a whim of several billion cells to be you for a while.
More information about the argus
mailing list