Security Basics mailing list archives
Re: Worm activity
From: Mark Bassett <zosxavius () gmail com>
Date: Sat, 16 Jul 2005 01:49:33 -0400
Adam Dyga wrote:
Hello, I run a network server. Firewall logs show that there are many worm connection attempts mainly on ports 135 & 445. Is there any tool (for Linux) that allows to collect information about the kind of worms are trying to connect? Cheers, AD
You want to look at an Intrusion Detection System (IDS). Snort seems to be the gold standard on *nix boxen these days. I'd start there. With a decent ruleset, it will tell you what kinds of traffic are trying to connect that may be malicious. http://www.snort.org/ Typically a lot of viruses look to get in via NetBIOS (135-139 or so) and SSL (445). Port 80 is also highly targeted. I forget what port MS-SQL Server runs at, but I'd imagine that it would get a lot of hits too. As long as this worm activity does not get past the firewall, you should be ok unless someone brings something bad via laptop or other device into the network. This is also a case where IDS will come in handy as it will at least catch the traffic trying to go out of the network. Patch often enough and a lot of problems will go away. Who would have thought? Like someone mentioned earlier, it is always a good idea to have something inside the firewall listening as well, so you can verify that everything is working that it should and keep tabs on the state of your security. Even putting something like Kerio on some windows boxes inside your network is pretty good as Kerio has a pretty damned good IDS module that seems to catch a lot of bad traffic (trojans, worms, portscans, etc). It will also even log to a syslog server so you can agregate all the bad traffic on your windows boxes in one place. Not too shabby if you ask me. I don't know where the Kerio folks get their ruleset from, but it seems to get updated fairly often. Hope that gives you some advice.
Current thread:
- Worm activity Adam Dyga (Jun 13)
- Re: Worm activity Andrés Montañez (Jun 14)
- Re: Worm activity Mark Bassett (Jun 14)
- Re: Worm activity Matt Kirchhoff (Jun 16)