[nsp-sec] Netflow based detection of Conficker C
Peter Haag
peter.haag at switch.ch
Thu Apr 9 02:01:09 EDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Teams,
Inspired by other work - a python Script and Silk plugins etc.
were already sent to this list some days ago by other people,
I'd like to contribute another flow based detection tool for
ConfickerC - of course based on nfdump/NfSen :)
Based on the article of CERT Lexsi:
https://cert.lexsi.com/weblog/index.php/2009/03/31/294-confickerc-de-peer-en-peer
( destination IP/Port relation of conficker's P2P behavior )
the appended tool search_conficker filters nfdump collected
flows accordingly and prints potential infected hosts to stdout.
The package also includes a small NfSen plugin for automatic
runs every 5min. See the README file for all the details.
For questions feel free to contact me.
Happy hunting!
- Peter
- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag, Security Engineer, Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
E-mail: peter.haag at switch.ch Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iQCVAwUBSd2PD/5AbZRALNr/AQKXcAQAmgEvSaaxPGiRa7Yh3GRiPaYJ16YgUrE1
dXVdGJB7qVZssxysn/yCJS627MA3RQjRGaX93ne6k9rl0cCE172OdeIjm4F5F0Lt
PsaGrg+EX45/CHF8jLWXjaO1/Y8O5jDtfGMpH4hoV3e4r7nRx0WXTpFk8+XeDyS+
0777dBEj/7M=
=EOzg
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SearchConfickerC.tgz
Type: application/x-gzip
Size: 150773 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20090409/0664d69c/attachment-0001.bin>
More information about the nsp-security
mailing list