[expert] Blaster hits and IPCOP..what should I look for???
I've got a few M$ boxes running 2000 and XP behind my IPcop firewall, all my boxes are patched.. I've been checking my logs for anything pertaining to the blaster worm but "I THINK" there is nothing showing..I've got snort active but I'm not "REALLY" sure what to look for!! if any of you experts are using ipcop and your logs show hits. could you show me a snip so I know what to look for.. Thank you -- Gavin c/o GES (Gavin's English School) Register Linux user # 199685 Sent 2u on a M$ free system!! Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Blaster hits and IPCOP..what should I look for???
http://www.cert.org/advisories/CA-2003-20.html this describes it best. On Sat, 2003-08-16 at 12:38, Gavin wrote: > I've got a few M$ boxes running 2000 and XP behind my IPcop firewall, all my > boxes are patched.. I've been checking my logs for anything pertaining to the > blaster worm but "I THINK" there is nothing showing..I've got snort active > but I'm not "REALLY" sure what to look for!! if any of you experts are using > ipcop and your logs show hits. could you show me a snip so I know what to > look for.. > > Thank you -- Kiran <[EMAIL PROTECTED]> signature.asc Description: This is a digitally signed message part
Re: [expert] Blaster hits and IPCOP..what should I look for???
Kiran, Thanks for your reply, but I wanted to see an actual snip from someone's IPCOP IDS to see EXACTLY what I should look for, I've got many hits on these ports but not sure if its the blaster worn or not. On Sun, 17 Aug 2003 11:58 am, Kiran wrote: > http://www.cert.org/advisories/CA-2003-20.html > > this describes it best. > > On Sat, 2003-08-16 at 12:38, Gavin wrote: > > I've got a few M$ boxes running 2000 and XP behind my IPcop firewall, all > > my boxes are patched.. I've been checking my logs for anything pertaining > > to the blaster worm but "I THINK" there is nothing showing..I've got > > snort active but I'm not "REALLY" sure what to look for!! if any of you > > experts are using ipcop and your logs show hits. could you show me a snip > > so I know what to look for.. > > > > Thank you -- Gavin c/o GES Fukushimaken, Fukushima City Nankodai 2-34-1 Zip:960 Japan Register Linux user # 199685 Sent 2u on a M$ free system!! Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Blaster hits and IPCOP..what should I look for???
I can't seem to get IPCOP to log binary dumps of IDS packet data. Snort is started by a c-code program "/usr/local/bin/restartsnort" (security I guess). But that would be a start. snort has some info, but i don't think ipcop has updated the snort rules for this. last official update was 7-31-03 (fixes3 update) http://www.snort.org/snort-db/sid.html?sid=2192 http://www.snort.org/snort-db/sid.html?sid=2193 These look close and you may be able to make/add the rules to one of the snort rule files. I know this still doesn't answer the question, but its a start. You really can't know if its a legit/mistaken request or not without the dump. Chances are port 135 requests are, but the dump would help define the attack. On Sun, 2003-08-17 at 00:33, Gavin wrote: > Kiran, > > Thanks for your reply, but I wanted to see an actual snip from someone's IPCOP > IDS to see EXACTLY what I should look for, I've got many hits on these ports > but not sure if its the blaster worn or not. > > > > > On Sun, 17 Aug 2003 11:58 am, Kiran wrote: > > http://www.cert.org/advisories/CA-2003-20.html > > > > this describes it best. > > > > On Sat, 2003-08-16 at 12:38, Gavin wrote: > > > I've got a few M$ boxes running 2000 and XP behind my IPcop firewall, all > > > my boxes are patched.. I've been checking my logs for anything pertaining > > > to the blaster worm but "I THINK" there is nothing showing..I've got > > > snort active but I'm not "REALLY" sure what to look for!! if any of you > > > experts are using ipcop and your logs show hits. could you show me a snip > > > so I know what to look for.. > > > > > > Thank you -- Kiran <[EMAIL PROTECTED]> signature.asc Description: This is a digitally signed message part
Re: [expert] Blaster hits and IPCOP..what should I look for???
On Sun, 2003-08-17 at 10:56, Kiran wrote: > I can't seem to get IPCOP to log binary dumps of IDS packet data. Snort > is started by a c-code program "/usr/local/bin/restartsnort" (security I > guess). But that would be a start. > snort has some info, but i don't think ipcop has updated the snort rules > for this. last official update was 7-31-03 (fixes3 update) > > http://www.snort.org/snort-db/sid.html?sid=2192 > http://www.snort.org/snort-db/sid.html?sid=2193 > > These look close and you may be able to make/add the rules to one of the > snort rule files. > > I know this still doesn't answer the question, but its a start. You > really can't know if its a legit/mistaken request or not without the > dump. Chances are port 135 requests are, but the dump would help define > the attack. > > On Sun, 2003-08-17 at 00:33, Gavin wrote: > > Kiran, > > > > Thanks for your reply, but I wanted to see an actual snip from someone's IPCOP > > IDS to see EXACTLY what I should look for, I've got many hits on these ports > > but not sure if its the blaster worn or not. > > > > > > > > > > On Sun, 17 Aug 2003 11:58 am, Kiran wrote: > > > http://www.cert.org/advisories/CA-2003-20.html > > > > > > this describes it best. > > > > > > On Sat, 2003-08-16 at 12:38, Gavin wrote: > > > > I've got a few M$ boxes running 2000 and XP behind my IPcop firewall, all > > > > my boxes are patched.. I've been checking my logs for anything pertaining > > > > to the blaster worm but "I THINK" there is nothing showing..I've got > > > > snort active but I'm not "REALLY" sure what to look for!! if any of you > > > > experts are using ipcop and your logs show hits. could you show me a snip > > > > so I know what to look for.. > > > > > > > > Thank you > -- > Kiran <[EMAIL PROTECTED]> Wouldn't the IPCop mailing list be a better place for this question? In any case, you won't see it in your IDS logs unless you applied the new Snort rule for LOVE SAN/MS BLAST. Your firewall log will show tons of dropped packets from sources on the Internet and going to destination port 135/TCP. Many people found that the worm was causing far too much log space to be taken, so they added explicit rules to drop those packets without logging them, in which case you will see nothing (it doesn't sound like you added those rules, though). To tell if your internal boxes are infected, you would have to write iptables rules to log outgoing packets that either source port or destination port 135. Apply that to your external interface to see if packets from your network going outbound match those rules. That will indicate that you have infected boxes. -- Brian Keefer Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Blaster hits and IPCOP..what should I look for???
> > Wouldn't the IPCop mailing list be a better place for this question? Yes and I have moved the rest of my posts there already. Thank you. End of thread!!! -- Kiran <[EMAIL PROTECTED]> signature.asc Description: This is a digitally signed message part
