RE: Detecting Blaster
From: David A Cavalieri (David.Cavalieri_at_Colorado.EDU)
Date: 08/15/03
- Previous message: David Vincent: "RE: New variant. Blast.b"
- Maybe in reply to: Bob Sadler: "Detecting Blaster"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 15 Aug 2003 11:48:38 -0600 To: <focus-ms@securityfocus.com>
Using NetFlow data, instead of watching all of your traffic to tcp/135
(which can be a great deal, depending the size of your organization),
you can watch for single packets; destination tcp/135 with a size of 48
bytes. You can also look for destination UDP/69 (TFTP) packets.
Monitoring traffic on port 4444 was not as useful.
Hope this helps.
David Cavalieri
Technical Specialist
Information Technology Services
University of Colorado, Boulder
-----Original Message-----
From: Bob Sadler [mailto:bobs@LEAWOOD.ORG]
Sent: Thursday, August 14, 2003 11:14 AM
To: focus-ms@securityfocus.com
Subject: Detecting Blaster
I have been trying to figure out if there is a way that I can detect
signs of Blaster on a large number of machines on a network without
having to actually visit each one.
I have a port scanner (Ethereal) and have it setup to look at any frame
with destination port 135. Is there a better way to do this, or is the
way I'm trying to do this all wrong in the first place?
Bob Sadler
City of Leawood, KS, USA
WAN/Internet Specialist
913-339-6700 x194
Get a Life! Get TWO! Play Second Life!
http://secondlife.com/ss/?u=b4ebbfdd6af98a027fa7e89a86c55a68
------------------------------------------------------------------------
--- Your network firewall and IDS products do not prevent Web application attacks - the most common form of online exploitation- resulting in Web defacement, data theft, sabotage and fraud. KaVaDo is the only company that provides a complete suite of Web application security products. Download a FREE whitepaper on "Security Policy Automation for Web Applications":http://www.securityfocus.com/Kavado-focus-ms ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- Your network firewall and IDS products do not prevent Web application attacks - the most common form of online exploitation- resulting in Web defacement, data theft, sabotage and fraud. KaVaDo is the only company that provides a complete suite of Web application security products. Download a FREE whitepaper on "Security Policy Automation for Web Applications":http://www.securityfocus.com/Kavado-focus-ms ---------------------------------------------------------------------------
- Previous message: David Vincent: "RE: New variant. Blast.b"
- Maybe in reply to: Bob Sadler: "Detecting Blaster"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
