On Fri, Oct 21, 2005 at 10:03:21AM +1000, Peter Rundle wrote: > Dean Hamstead wrote: > >ethereal? > > Sure. But how do I distill the worms attacks out of the millions of > other packets that are being picked up? There is constant broadcast > traffic on the LAN with PC's file sharing between each other. So traffic > to port 137 etc is very busy. How can I tell out of that broadcast > stream which packets are the worm scanning for ports to attack on? > > I mean if the worm is scanning then I can just ethereal/tcpdump in the > Linx box to try and capture the initial port scan for vunerable ports.
I reckon that a bit of time spent with a tcpdump log and the usual suspects in the toolbox of Unix text manipulation tools would get you your answer. Consider, you're looking for a machine which is flinging a lot of SYN packets around, on port 137, to a lot of different IP addresses. So, you'd do something similar to: tcpdump -i eth0 -n port 137 >/tmp/capt grep ': S ' /tmp/capt | cut -d ' ' -f 3,5 | sort | uniq And then look for addresses which happen to have a lot of connections to a lot of different destination addresses. With a bit of extra faff you could do a lot better, by stripping out the source and dest ports, then doing another sort/uniq, then stripping out the destination address, sort/uniq -c to get a count of how many times each line appeared, and you would then have a list of source IP addresses, with the number of distinct machines that each source IP has contacted over the period of the scan. - Matt (Executive Director of the 'Shell Scripts For All!' foundation) -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
