RE: Detecting BlasterAug 15 2003 05:48PM David A Cavalieri (David Cavalieri Colorado EDU)
Using NetFlow data, instead of watching all of your traffic to tcp/135
(which can be a great deal, depending the size of your organization),
you can watch for single packets; destination tcp/135 with a size of 48
bytes. You can also look for destination UDP/69 (TFTP) packets.
Monitoring traffic on port 4444 was not as useful.
Hope this helps.
David Cavalieri
Technical Specialist
Information Technology Services
University of Colorado, Boulder
-----Original Message-----
From: Bob Sadler [mailto:bobs (at) LEAWOOD (dot) ORG [email concealed]]
Sent: Thursday, August 14, 2003 11:14 AM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Detecting Blaster
I have been trying to figure out if there is a way that I can detect
signs of Blaster on a large number of machines on a network without
having to actually visit each one.
I have a port scanner (Ethereal) and have it setup to look at any frame
with destination port 135. Is there a better way to do this, or is the
way I'm trying to do this all wrong in the first place?
Bob Sadler
City of Leawood, KS, USA
WAN/Internet Specialist
913-339-6700 x194
Get a Life! Get TWO! Play Second Life!
http://secondlife.com/ss/?u=b4ebbfdd6af98a027fa7e89a86c55a68
---
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
------------------------------------------------------------------------
---
(which can be a great deal, depending the size of your organization),
you can watch for single packets; destination tcp/135 with a size of 48
bytes. You can also look for destination UDP/69 (TFTP) packets.
Monitoring traffic on port 4444 was not as useful.
Hope this helps.
David Cavalieri
Technical Specialist
Information Technology Services
University of Colorado, Boulder
-----Original Message-----
From: Bob Sadler [mailto:bobs (at) LEAWOOD (dot) ORG [email concealed]]
Sent: Thursday, August 14, 2003 11:14 AM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Detecting Blaster
I have been trying to figure out if there is a way that I can detect
signs of Blaster on a large number of machines on a network without
having to actually visit each one.
I have a port scanner (Ethereal) and have it setup to look at any frame
with destination port 135. Is there a better way to do this, or is the
way I'm trying to do this all wrong in the first place?
Bob Sadler
City of Leawood, KS, USA
WAN/Internet Specialist
913-339-6700 x194
Get a Life! Get TWO! Play Second Life!
http://secondlife.com/ss/?u=b4ebbfdd6af98a027fa7e89a86c55a68
------------------------------------------------------------------------
---
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
------------------------------------------------------------------------
---
[ reply ]