I can't seem to get IPCOP to log binary dumps of IDS packet data. Snort is started by a c-code program "/usr/local/bin/restartsnort" (security I guess). But that would be a start. snort has some info, but i don't think ipcop has updated the snort rules for this. last official update was 7-31-03 (fixes3 update)
http://www.snort.org/snort-db/sid.html?sid=2192 http://www.snort.org/snort-db/sid.html?sid=2193 These look close and you may be able to make/add the rules to one of the snort rule files. I know this still doesn't answer the question, but its a start. You really can't know if its a legit/mistaken request or not without the dump. Chances are port 135 requests are, but the dump would help define the attack. On Sun, 2003-08-17 at 00:33, Gavin wrote: > Kiran, > > Thanks for your reply, but I wanted to see an actual snip from someone's IPCOP > IDS to see EXACTLY what I should look for, I've got many hits on these ports > but not sure if its the blaster worn or not. > > > > > On Sun, 17 Aug 2003 11:58 am, Kiran wrote: > > http://www.cert.org/advisories/CA-2003-20.html > > > > this describes it best. > > > > On Sat, 2003-08-16 at 12:38, Gavin wrote: > > > I've got a few M$ boxes running 2000 and XP behind my IPcop firewall, all > > > my boxes are patched.. I've been checking my logs for anything pertaining > > > to the blaster worm but "I THINK" there is nothing showing..I've got > > > snort active but I'm not "REALLY" sure what to look for!! if any of you > > > experts are using ipcop and your logs show hits. could you show me a snip > > > so I know what to look for.. > > > > > > Thank you -- Kiran <[EMAIL PROTECTED]>
signature.asc
Description: This is a digitally signed message part
