beta.13 (and beta.12) insect
Eric
eric-list-argus at catastrophe.net
Mon Aug 25 12:18:25 EDT 2003
On Mon, 2003-08-25 at 17:12:34 +0100, Neil Long proclaimed...
> Just a thought - are you having major icmp floods with these MS-RPC worms?
>
> Until we filtered them my argus collector was dropping vast amounts of
> packets as reported
> by tcpdump and friends
>
Yep, we are. We had to change our argus.conf filter to not include
icmp.
Is there a way to filter out something like the following in the
argus.conf (this is what I'm using to detect the infected hosts
using tcpdump)
'icmp[icmptype]==icmp-echo && icmp[8:4]==0xAAAAAAAA &&
icmp[12:4]==0xAAAAAAAA'
More information about the argus
mailing list