|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical How to find the first occurrance of the worm.
Ray Burkholder -----Original Message----- From: McDonald, Dan [mailto:[email protected]] Sent: January 25, 2003 17:05 To: '[email protected]' Subject: [flow-tools] w32.sqlexp.worm In case anyone needs it, here is the flow-tools nfilter that I've found to match the worm that hit us... filter-primitive mssql type ip-port permit 1434 default deny filter-primitive wormsize type counter permit eq 404 default deny filter theworm match src-ip-port mssql match octets wormsize that with a flow-print -f 5 gave me the time of the first infection... Daniel J McDonald, CCIE #2495, CNX Lan/Wan Integrator Austin Energy 1.512.322.6739 [email protected] _______________________________________________ [email protected] http://www.splintered.net/sw/flow-tools
|