Worm attacks

David Brumley dbrumley at rtfm.stanford.edu
Tue Jul 24 15:18:25 EDT 2001


> Hey David,
>    Did you get a chance to use ragrep() against
> any argus data to do your URL searching?
> 
no, but I'll try that in the future.  I still need to upgrade to argus
 2.0 on our production server. I've been hesitant because that means
rewriting some scripts.



> 
> > -----Original Message-----
> > From: David Brumley [mailto:dbrumley at rtfm.stanford.edu] 
> > Sent: Monday, July 23, 2001 7:19 PM
> > To: Carter Bullard
> > Cc: Argus
> > Subject: Re: Worm attacks
> > 
> > 
> > 
> > > Gentle people,
> > >    Did any one catch any worm traffic this past week?
> > > I'd love to see the first 64 bytes, if anyone has any
> > > logs.  I'm guessing that Argus would have been the only 
> > technology to 
> > > automatically audited worm traffic from the last wave.
> > 
> > I don't have any argus logs, but I found that ngrep was 
> > especially helpful in identifying machines looking for the 
> > default.ida script.
> > 
> > cheers,
> > -david
> > -- 
> > #+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+
> > --+#+--+#
> > David Brumley - Stanford Computer Security -   dbrumley at 
> > Stanford.EDU
> > Phone: +1-650-723-2445           WWW: 
> > http://www.stanford.edu/~dbrumley
> > Fax:   +1-650-725-9121  
> > PGP: finger dbrumley-pgp at sunset.Stanford.EDU
> > #+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+
> > --+#+--+#
> > Life is a whim of several billion cells to be you for a while.
> > 
> 

-- 
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
David Brumley - Stanford Computer Security -   dbrumley at Stanford.EDU
Phone: +1-650-723-2445           WWW: http://www.stanford.edu/~dbrumley
Fax:   +1-650-725-9121  PGP: finger dbrumley-pgp at sunset.Stanford.EDU
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
Life is a whim of several billion cells to be you for a while.



More information about the argus mailing list