Hi flow-tools people! Background: We've been investigating a virus lookup on campus last week, in light of recent news from the Internet Storm Center.
We detected the virus on Friday using our flowscan modules that were processing the flow-tools files. Last week we noted that the virus attempted to connect to 203.81.40.172 on port 10009 (as per http://isc.sans.org/diary.php?date=2004-09-08) So we checked our logs to see which machines had been attempting to connect on that port - this identified most of the infected machines we had previuosly identified and a few more. Question: We were wondering if it is possible, that given a list of (internal) IP addresses, we could filter on them, and then aggregrate to determine if there was anything else that many of the listed machines had attempted to connect to. (Using flow-report etc) If I were to explain this in a SQL like fashion: SELECT dstip, count(*) FROM flows WHERE srcip IS IN (infected hosts list) AND dstip IS external GROUP BY dstip We could then monitor for other infected machines making connections to the same machine (bot controller), thus identifying infections quickly. All input welcome Regards Craig Macdonald [EMAIL PROTECTED] Glasgow University Computing Service _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
