Re: Linux actual worm packets database/emulation tool?
From: Darren Tucker (dtucker_at_gate.dodgy.net.au)
Date: 10/27/05
- Next message: adil.wad_at_gmail.com: "Re: Putty: Network error: No route to host"
- Previous message: priyank_at_gmail.com: "Linux actual worm packets database/emulation tool?"
- In reply to: priyank_at_gmail.com: "Linux actual worm packets database/emulation tool?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 27 Oct 2005 09:36:42 GMT
On 2005-10-27, priyank@gmail.com <priyank@gmail.com> wrote:
> Can anybody point me towards a database or tool which can help me get
> the actual worm packets for Linux/its applications vulnerabilities. I
> need a worm trace which I can replay to see whether my IDS can detect
> the worm inside that traffice.
>
> Any help in this matter would be highly appreciated.
Assuming you mean the ssh worm (which is the only one on-topic here):
stick a machine on the internet with an sshd running on port 22 and run
"tcpdump tcp port 22". You will get plenty of sample data.
The bulk of the traffic will be encrypted, so it's likely that the only
characteristics your IDS will see are a) the client software version is
usually "libssh-0.1" [1], the connections are usually short and there are many
of them from the same source.
[1] From my logs: 99.989% libssh-0.1, 0.011% "everything else" :-)
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
- Next message: adil.wad_at_gmail.com: "Re: Putty: Network error: No route to host"
- Previous message: priyank_at_gmail.com: "Linux actual worm packets database/emulation tool?"
- In reply to: priyank_at_gmail.com: "Linux actual worm packets database/emulation tool?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
