[Snort-users] Best detection of Worm
This is a discussion on [Snort-users] Best detection of Worm within the Snort forums, part of the System Security and Security Related category; This is a multi-part message in MIME format. ------_=_NextPart_001_01C4E3EF.8381D8CD Content-Type: text/plain; charset="iso-8859-...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
12-17-2004
|
|||
|
|||
[Snort-users] Best detection of Worm
This is a multi-part message in MIME format.
------_=_NextPart_001_01C4E3EF.8381D8CD Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable We seem to be seeing an infection of the WORM_RBOT.TO worm, by = examination of the DNS logs, we'rd finding DNS lookups for the Site = (gz.freetypers.us) that the worm then establishes an IRC connection too. = =20 What would be the best way to detect on this , an initial on the DNS = lookup and then a positive on the IRC Connection? http://www.trendmicro.com/vinfo/viru...ame=3DWORM_RB= OT.TO&VSect=3DT = <http://www.trendmicro.com/vinfo/viru...Name=3DWORM_R= BOT.TO&VSect=3DT> =20 =20 thanks ------_=_NextPart_001_01C4E3EF.8381D8CD Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1">=0A= <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">=0A= <HTML>=0A= <HEAD>=0A= =0A= <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 6.5.6944.0">=0A= <TITLE>Re: [Snort-users] Combining SNORT databases....</TITLE>=0A= </HEAD>=0A= <BODY>=0A= <DIV id=3DidOWAReplyText34129 dir=3Dltr>=0A= <DIV dir=3Dltr><FONT face=3DArial color=3D#000000 size=3D2>We seem to be = seeing an =0A= infection of the WORM_RBOT.TO worm, by examination of the DNS logs, = we'rd =0A= finding DNS lookups for the Site <FONT =0A= face=3D"Times New Roman"> (gz.freetypers.us)<FONT size=3D3> = </FONT></FONT>that =0A= the worm then establishes an IRC connection too. </FONT></DIV>=0A= <DIV dir=3Dltr><FONT face=3DArial size=3D2></FONT> </DIV>=0A= <DIV dir=3Dltr><FONT face=3DArial size=3D2>What would be the best way to = detect on =0A= this , an initial on the DNS lookup and then a positive on the IRC =0A= Connection?</FONT></DIV></DIV>=0A= <DIV dir=3Dltr><BR><A =0A= href=3D"http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=3D= WORM_RBOT.TO&VSect=3DT" =0A= target=3D_blank><FONT =0A= size=3D2>http://www.trendmicro.com/vinfo/viru....asp?VName=3D= WORM_RBOT.TO&VSect=3DT</FONT></A> =0A= </DIV>=0A= <DIV dir=3Dltr> </DIV>=0A= <DIV dir=3Dltr>thanks</DIV>=0A= =0A= </BODY>=0A= </HTML> ------_=_NextPart_001_01C4E3EF.8381D8CD-- ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
