Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security ISSForum
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISSForum] How to detect(prevent) Bropia worm with ISS.

from [Byungkuk Seo] Network Security [Permanent Link]
Subject: [ISSForum] How to detect(prevent) Bropia worm with ISS.
Date: Thu, 3 Feb 2005 16:05:08 +0900 
Hi, all.

I has confirmed that the Bropia worm( ) is currently circulating on the 
Internet.
and has verified that ISS Proventia G200 is detecting (or prevent) this worm 
with MSMessenger_FileXfer.


■ Signature Configuration
 - XPU 22.15 -> Security Events -> Audits -> MSMessenger_FileXfer
   Event Propagation : Source IP, Flood Protection

■ Note
   'Source IP' is NOT Compromised host But 'Packet SourceAddress' is 
Compromised host.

■ Detail Log
Event Number : 1
Date/Time : 2005-02-03 10:37:13 GMT+09:00
Tag Name : MSMessenger_FileXfer
Alert Name : MSMessenger_FileXfer
Severity : Low
Tag Brief Description : 
Observance Type : Intrusion Detection
Combined Event Count : 1
Cleared Flag : No
Target DNS Name : 
Target IP Address : 207.46.108.60
Target Object Name : 1863
Target Object Type : Target Port
Target Service : 
Source DNS Name : 
Source IP Address : 111.111.111.111
SourcePort Name : 1247
Sensor DNS Name : 
Sensor IP Address : xxx.xxx.xxx.xxx
Sensor Name : rs_xxxxxx

Attribute Value Pairs for Event Number : 1
Attribute Name : :Filename
Attribute Value : ROFL.pif
Attribute Name : :From
Attribute Value :xxxxxx@hotmail.com
Attribute Name : :From-Name
Attribute Value : [SY]???%20??~!!!
Attribute Name : :intruder-ip-addr
Attribute Value : 111.111.111.111
Attribute Name : :intruder-port
Attribute Value : 1247
Attribute Name : :victim-ip-addr
Attribute Value : 207.46.108.60
Attribute Name : :victim-port
Attribute Value : 1863
Attribute Name : algorithm-id
Attribute Value : 3104008
Attribute Name : Packet DestinationAddress
Attribute Value : 111.111.111.111
Attribute Name : Packet DestinationPort
Attribute Value : 1247
Attribute Name : Packet SourceAddress
Attribute Value : 207.46.108.60
Attribute Name : Packet SourcePort
Attribute Value : 1863  

Thanks.


_______________________________________________
ISSForum mailing list
ISSForum@iss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to 
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@iss.net

The ISSForum mailing list is hosted and managed by Internet Security Systems, 
6303 Barfield Road, Atlanta, Georgia, USA 30328.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISSForum] How to detect(prevent) Bropia worm with ISS., Byungkuk Seo <=
Previous by Date:  RE: [ISSForum] SiteProtector SP5, Hertzog, Albert
Next by Date:  [ISSForum] signature for blocking worm.win32.deborm and nb worm ???, keshav anand
Previous by Thread:  [ISSForum] Packet Filter at ISS Sensor, Hee Kiong
Next by Thread:  [ISSForum] signature for blocking worm.win32.deborm and nb worm ???, keshav anand
Indexes:  [Date] [Thread] [Top] [All Lists]