How to find the first occurrance of the worm.
Ray Burkholder -----Original Message----- From: McDonald, Dan [mailto:Dan.McDonald@austinenergy.com] Sent: January 25, 2003 17:05 To: 'flow-tools@splintered.net' Subject: [flow-tools] w32.sqlexp.worm In case anyone needs it, here is the flow-tools nfilter that I've found to match the worm that hit us... filter-primitive mssql type ip-port permit 1434 default deny filter-primitive wormsize type counter permit eq 404 default deny filter theworm match src-ip-port mssql match octets wormsize that with a flow-print -f 5 gave me the time of the first infection... Daniel J McDonald, CCIE #2495, CNX Lan/Wan Integrator Austin Energy 1.512.322.6739 dan.mcdonald@austinenergy.com _______________________________________________ flow-tools@splintered.net http://www.splintered.net/sw/flow-tools
participants (1)
-
Ray Burkholder