Ethereal-users: Re: [Ethereal-users] Possible to detect Sasser with Ethereal?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Andrew Hood <ajhood@xxxxxxxxx>
Date: Tue, 11 May 2004 22:57:23 +1000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nick Marques wrote:
| Can anyone explain how I might be able to detect Sasser virus traffic
| with Ethereal? Im interested in finding out the IP of infected systems.

I'd suggest you use a real intrusion detector like http://www.snort.org/

However, the following capture filter will give you a list of suspects
with some false positives:

tcp[13]&3!=0 and (port 139 or port 445)

~From that output, look for sources that appear to be scanning through
lists of targets.

Boxes causing arp storms are another good clue.

- --
There's no point in being grown up if you can't be childish sometimes.
~                -- Dr. Who
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAoM2zUpRmj8xnsFgRAoSzAJ4yWvZf4nFLyw0DAQVyXyzV51qWYQCfRY4F
sMHXwG8eFtq4sN8hHu/u1BI=
=XecC
-----END PGP SIGNATURE-----