[flow-tools] Tools to watch for viruses or worms?
Paul Dokas
dokas at cs.umn.edu
Wed Oct 22 23:41:50 EDT 2003
On Wed, 22 Oct 2003 13:00:01 -0400, "Cowell, Andrew" <acowell at scrippsops.com> wrote:
> Hey, I'm trying to use flow exports to watch for viruses and worms on our
> network. I haven't found any tools to do so yet. Anybody know of one?
> Does anybody already have flow-tools filters for various worm signatures?
> The main suspicious activity I've been watching for has been sequential
> network mapping, but I don't see how to catch that with flow-tools. Any
> ideas?
See the attached for a script that I wrote to find computers that are scanning.
It does a reasonable job for me when looking for worms since most of them scan
while attempting to spread. To find machines on your site that are scanning:
flow-cat flowfile | find_scanners5 -S -o -c 50 -s 5 -d 5 - | less
or, to find machines outside of your network scanning your computers:
flow-cat flowfile | find_scanners5 -S -i -c 50 -s 5 -d 5 -
This script will do other things also, like sort IPs by bandwidth consumption.
Paul
--
Paul Dokas dokas at cs.umn.edu
======================================================================
Don Juan Matus: "an enigma wrapped in mystery wrapped in a tortilla."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: find_scanners
Type: application/octet-stream
Size: 29024 bytes
Desc: not available
Url : http://mailman.splintered.net/pipermail/flow-tools/attachments/20031022/0e394c2a/find_scanners.obj
More information about the Flow-tools
mailing list