See http://honeynet.org/node/388 for snort signatures for .a and .b variants. - d. On Tue, 31 Mar 2009, Steven Fischer wrote:
Is anyone aware of any network-based signatures that could be used to identify and tag IP traffic, for dropping at the ingress/egress points?
On Tue, Mar 31, 2009 at 9:41 AM, JoeSox <joesox@gmail.com> wrote:
I am uncertain also. I scan a subnet on my network with Axence NetTools looking for 445 port and I receive some hits. I perform a netstat -a some of those results but don't really see any 445 activity. The SCS script doesn't find anything either. The PCs are patched and virusscan updated. One PC when I connected to it did not navigate to Windowsupdate website. I scheduled a Full McAfee scan as their documentation suggests ( http://download.nai.com/products/mcafee-avert/documents/combating_w32_confic... ), and sometime through the scan I was able to reach windowsupdate. I don't know if it was a coincidence or not that I was not able to reach the website. I haven't looked into the registry and any other places for evidence of conficker. I will probably today but I am afraid it maybe a waste of time since they are already patched and updated. -- Joe
On Tue, Mar 31, 2009 at 5:48 AM, Eric Tykwinski <eric-list@truenet.com> wrote:
Joe,
Here's the link for the Python Crypto toolkit: http://www.amk.ca/python/code/crypto.html
I scanned our internal network and didn't find anything, so I can't really vouch for it's reliablity though.
-- Dominic J. Eidson "Baruk Khazad! Khazad ai-menu!" - Gimli ---------------------------------------------------------------------------- http://www.dominiceidson.com/