Ethereal-users: Re: [Ethereal-users] Possible to detect Sasser with Ethereal?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Andrew Hood <ajhood@xxxxxxxxx>
Date: Tue, 11 May 2004 22:57:23 +1000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nick Marques wrote:
| Can anyone explain how I might be able to detect Sasser virus traffic
| with Ethereal? Im interested in finding out the IP of infected systems.

I'd suggest you use a real intrusion detector like http://www.snort.org/

However, the following capture filter will give you a list of suspects
with some false positives:

tcp[13]&3!=0 and (port 139 or port 445)

~From that output, look for sources that appear to be scanning through
lists of targets.

Boxes causing arp storms are another good clue.

- --
There's no point in being grown up if you can't be childish sometimes.
~                -- Dr. Who
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAoM2zUpRmj8xnsFgRAoSzAJ4yWvZf4nFLyw0DAQVyXyzV51qWYQCfRY4F
sMHXwG8eFtq4sN8hHu/u1BI=
=XecC
-----END PGP SIGNATURE-----