sbernard at gmu.edu
Tue Aug 19 14:39:13 GMT 2003
I've built a tcpdump filter to search for Nachi/Welchia worm traffic. So far
I'm seeing one dial-up user who's computer is constantly pinging an address
in Yahoo's domain which resolves as, UNKNOWN-64-58-77-85.yahoo.com. The host
was sending echo-requests every 3 to 4 seconds.
My current tcpdump filter is:
'icmp[icmptype]==icmp-echo && icmp==0xAA && icmp==0xAA &&
icmp==0xAA && icmp==0xAA'
This looks for ICMP echo-requests in which the first 4 data bytes are each
0xAA (hex) or 170 (decimal).
Suggestions for improvement or simplification are welcome.
Has anyone built a filter which will look for outbound TCP requests to ports
666 thru 765, as indicated by Symantec's updated discussion? My fingers are
feeling lazy and I don't have an auto-generation script written yet ;)
Sr. Systems Engineer, NET
George Mason University
More information about the unisog