On Sun, 2003-08-17 at 10:56, Kiran wrote: > I can't seem to get IPCOP to log binary dumps of IDS packet data. Snort > is started by a c-code program "/usr/local/bin/restartsnort" (security I > guess). But that would be a start. > snort has some info, but i don't think ipcop has updated the snort rules > for this. last official update was 7-31-03 (fixes3 update) > > http://www.snort.org/snort-db/sid.html?sid=2192 > http://www.snort.org/snort-db/sid.html?sid=2193 > > These look close and you may be able to make/add the rules to one of the > snort rule files. > > I know this still doesn't answer the question, but its a start. You > really can't know if its a legit/mistaken request or not without the > dump. Chances are port 135 requests are, but the dump would help define > the attack. > > On Sun, 2003-08-17 at 00:33, Gavin wrote: > > Kiran, > > > > Thanks for your reply, but I wanted to see an actual snip from someone's IPCOP > > IDS to see EXACTLY what I should look for, I've got many hits on these ports > > but not sure if its the blaster worn or not. > > > > > > > > > > On Sun, 17 Aug 2003 11:58 am, Kiran wrote: > > > http://www.cert.org/advisories/CA-2003-20.html > > > > > > this describes it best. > > > > > > On Sat, 2003-08-16 at 12:38, Gavin wrote: > > > > I've got a few M$ boxes running 2000 and XP behind my IPcop firewall, all > > > > my boxes are patched.. I've been checking my logs for anything pertaining > > > > to the blaster worm but "I THINK" there is nothing showing..I've got > > > > snort active but I'm not "REALLY" sure what to look for!! if any of you > > > > experts are using ipcop and your logs show hits. could you show me a snip > > > > so I know what to look for.. > > > > > > > > Thank you > -- > Kiran <[EMAIL PROTECTED]>
Wouldn't the IPCop mailing list be a better place for this question? In any case, you won't see it in your IDS logs unless you applied the new Snort rule for LOVE SAN/MS BLAST. Your firewall log will show tons of dropped packets from sources on the Internet and going to destination port 135/TCP. Many people found that the worm was causing far too much log space to be taken, so they added explicit rules to drop those packets without logging them, in which case you will see nothing (it doesn't sound like you added those rules, though). To tell if your internal boxes are infected, you would have to write iptables rules to log outgoing packets that either source port 4444 or destination port 135. Apply that to your external interface to see if packets from your network going outbound match those rules. That will indicate that you have infected boxes. -- Brian Keefer
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
