Re: Worm activity

[Mark Bassett <zosxavius () gmail com>]

Adam Dyga wrote:

> Hello,
>
> I run a network server. Firewall logs show that there are many worm
> connection attempts mainly on ports 135 & 445. Is there any tool
> (for Linux) that allows to collect information about the kind of
> worms are trying to connect?
>
> Cheers, AD
You want to look at an Intrusion Detection System (IDS).  Snort seems
to be the gold standard on *nix boxen these days.  I'd start there.
With a decent ruleset, it will tell you what kinds of traffic are
trying to connect that may be malicious.

http://www.snort.org/

Typically a lot of viruses look to get in via NetBIOS (135-139 or so)
and SSL (445).  Port 80 is also highly targeted.  I forget what port
MS-SQL Server runs at, but I'd imagine that it would get a lot of hits
too.  As long as this worm activity does not get past the firewall,
you should be ok unless someone brings something bad via laptop or
other device into the network. This is also a case where IDS will come
in handy as it will at least catch the traffic trying to go out of the
network.  Patch often enough and a lot of problems will go away. Who
would have thought?

Like someone mentioned earlier, it is always a good idea to have
something inside the firewall listening as well, so you can verify
that everything is working that it should and keep tabs on the state
of your security.  Even putting something like Kerio on some windows
boxes inside your network is pretty good as Kerio has a pretty damned
good IDS module that seems to catch a lot of bad traffic (trojans,
worms, portscans, etc). It will also even log to a syslog server so
you can agregate all the bad traffic on your windows boxes in one
place. Not too shabby if you ask me. I don't know where the Kerio
folks get their ruleset from, but it seems to get updated fairly often.

Hope that gives you some advice.