Does anyone have any recommendations about monitoring for B-u-g-B-e-a-r on RS 7.0?
I scan for it in mail gateway but I would also like to know if any related NetBIOS activity is originating from outside the system or if any local machines are exhibiting behavior from within the network. If... an infected machine propagates the infection by looking for responses to queries on UDP port 137, and... if the backdoor allows attackers to connect to infected hosts on port 36794 then... create a High Priority rule on the console(and log) for: UDP activity that originates from port 137 and TCP activity from port 36794 Originate UDP port 137 to anywhere Originate TCP port 36794 to anywhere Is this even close? Jim _______________________________________________ ISSForum mailing list [EMAIL PROTECTED]
