tcpdump -qn icmp and ip[40]=0xaa
will detect welchia traffic... if that gets you no where then check out this link:
http://securityresponse.symantec.com/avcenter/venc/data/ detecting.traffic.due.to.rpc.worms.html
SNORT would help you out as well....
-r
On Wednesday, Oct 15, 2003, at 08:58 America/Denver, [EMAIL PROTECTED] wrote:
Hi guys, I have a question for you security knowledgeable types.....
Our ISP has contacted us and says that some machine on our network is
sending
out some sort of malicious attack, probably Code Red / Nimda / or something
similar. Unfortunately, that's about all the info I have. The IP they
gave us
is the ip off the firewall box, which does NAT translation for everybody
else.
So, what I'm wondering is, is there anything I can do (probaby on the
firewall box,
which is Linux, BTW) to detect outgoing connections which look like worm
attacks?
Thanks,
Phillip Rhodes Application Designer Voice Data Solutions 919-571-4300 x225 [EMAIL PROTECTED]
Those who are willing to sacrifice essential liberties for a little order,
will
lose both and deserve neither. - Benjamin Franklin
This country, with its institutions, belongs to the people who inhabit it.
Whenever they shall grow weary of the existing government, they can
exercise
their constitutional right of amending it, or exercise their revolutionary
right to overthrow it. - Abraham Lincoln
No citizen shall be denied the right to bear arms, if as a last resort, to
protect themselves from tyranny in Government. - Thomas Jefferson
--
TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
TriLUG Organizational FAQ : http://trilug.org/faq/
TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
-- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
