[TriLUG] detecting outgoing worm attacks w/ linux firewall box?
Glen Ford
gford at idiom.com
Wed Oct 15 11:22:13 EDT 2003
prhodes at vdsinc.com wrote:
>
>
>Hi guys, I have a question for you security knowledgeable types.....
>
>Our ISP has contacted us and says that some machine on our network is
>sending
>out some sort of malicious attack, probably Code Red / Nimda / or something
>similar. Unfortunately, that's about all the info I have. The IP they
>gave us
>is the ip off the firewall box, which does NAT translation for everybody
>else.
>
>So, what I'm wondering is, is there anything I can do (probaby on the
>firewall box,
>which is Linux, BTW) to detect outgoing connections which look like worm
>attacks?
>
>Thanks,
>
>Phillip Rhodes
>Application Designer
>Voice Data Solutions
>919-571-4300 x225
>prhodes at vdsinc.com
>
>Those who are willing to sacrifice essential liberties for a little order,
>will
>lose both and deserve neither. - Benjamin Franklin
>
>This country, with its institutions, belongs to the people who inhabit it.
>
>Whenever they shall grow weary of the existing government, they can
>exercise
>their constitutional right of amending it, or exercise their revolutionary
>right to overthrow it. - Abraham Lincoln
>
>No citizen shall be denied the right to bear arms, if as a last resort, to
>protect themselves from tyranny in Government. - Thomas Jefferson
>
>
>
You could run SNORT and look for the code red signature. Or on a basic
level you could log tcp port 137 traffic and then parse through your
logs for host that appear to be walking a subnet. Also if you are
currently running Iptables, it would be good to create reports of
Iptable logs using fwlogwatch. This reports make it easier to spot anomilies
/glen
--
Glen Ford
gford at idiom.com
More information about the TriLUG
mailing list