You could run SNORT and look for the code red signature. Or on a basic level you could log tcp port 137 traffic and then parse through your logs for host that appear to be walking a subnet. Also if you are currently running Iptables, it would be good to create reports of Iptable logs using fwlogwatch. This reports make it easier to spot anomilies
Hi guys, I have a question for you security knowledgeable types.....
Our ISP has contacted us and says that some machine on our network is sending out some sort of malicious attack, probably Code Red / Nimda / or something similar. Unfortunately, that's about all the info I have. The IP they gave us is the ip off the firewall box, which does NAT translation for everybody else.
So, what I'm wondering is, is there anything I can do (probaby on the firewall box, which is Linux, BTW) to detect outgoing connections which look like worm attacks?
Thanks,
Phillip Rhodes Application Designer Voice Data Solutions 919-571-4300 x225 [EMAIL PROTECTED]
Those who are willing to sacrifice essential liberties for a little order, will lose both and deserve neither. - Benjamin Franklin
This country, with its institutions, belongs to the people who inhabit it.
Whenever they shall grow weary of the existing government, they can exercise their constitutional right of amending it, or exercise their revolutionary right to overthrow it. - Abraham Lincoln
No citizen shall be denied the right to bear arms, if as a last resort, to protect themselves from tyranny in Government. - Thomas Jefferson
/glen
-- Glen Ford [EMAIL PROTECTED]
-- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
