[Dshield] RE: Moving infocon to 'half yellow'

Blake McNeill mcneillb at linklogger.com
Sat Aug 2 05:00:37 GMT 2003


We put up packet captures of a couple of the scanning tools at
http://www.linklogger.com/RPC_DCOM.htm and will add more as we capture them.
So far we have captured only 1 Metasploit/XFocus scan in the wild (couple of
port open scans), otherwise at 10:51 PM here its still all quiet on the
western front, but the pots are armed and configured for capture of this
beast if in fact one shows up this weekend.

We are watching TCP port 135, what other ports should we be watching?  I
think cert said TCP 4444, 445, and 139 (445 and 139 are already covered of
course), but what other ports should we tune in on to catch the impending
excitement (if in fact it happens at all this weekend)?

Blake


> Does anyone have snort signatures for this.  Any help is appreciated.




More information about the list mailing list