Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

How to find the first occurrance of the worm.

  • From: Ray Burkholder
  • Date: Sat Jan 25 17:55:32 2003



Ray Burkholder


-----Original Message-----
From: McDonald, Dan [mailto:Dan.McDonald@austinenergy.com] 
Sent: January 25, 2003 17:05
To: 'flow-tools@splintered.net'
Subject: [flow-tools] w32.sqlexp.worm


In case anyone needs it, here is the flow-tools nfilter that I've found
to
match the worm that hit us...

filter-primitive mssql
  type ip-port
  permit 1434
  default deny

filter-primitive wormsize
   type counter
   permit eq 404
   default deny

filter theworm
   match src-ip-port mssql
   match octets wormsize

that with a flow-print -f 5 gave me the time of the first infection...

Daniel J McDonald, CCIE #2495, CNX
Lan/Wan Integrator
Austin Energy
1.512.322.6739
dan.mcdonald@austinenergy.com

_______________________________________________
flow-tools@splintered.net
http://www.splintered.net/sw/flow-tools




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.