[nsp-sec] Netflow based detection of Conficker C
Peter Haag
peter.haag at switch.ch
Fri Apr 10 03:57:35 EDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
By mistake, I appended the wrong version. Please use the one appended.
Many thanks
- Peter
Peter Haag wrote:
> ----------- nsp-security Confidential --------
>
>
>
> ------------------------------------------------------------------------
>
> Hi Teams,
> Inspired by other work - a python Script and Silk plugins etc.
> were already sent to this list some days ago by other people,
> I'd like to contribute another flow based detection tool for
> ConfickerC - of course based on nfdump/NfSen :)
>
> Based on the article of CERT Lexsi:
> https://cert.lexsi.com/weblog/index.php/2009/03/31/294-confickerc-de-peer-en-peer
> ( destination IP/Port relation of conficker's P2P behavior )
>
> the appended tool search_conficker filters nfdump collected
> flows accordingly and prints potential infected hosts to stdout.
> The package also includes a small NfSen plugin for automatic
> runs every 5min. See the README file for all the details.
>
> For questions feel free to contact me.
>
> Happy hunting!
>
> - Peter
>
- ------------------------------------------------------------------------
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iQCVAwUBSd777f5AbZRALNr/AQJM+QP/bzmx2vcGYBrS4oJ4XY0tL2VY96aa6w1B
3NLKM4tH8TCEavdx2of7hUqsyhAdBWiMt0Zu6NmdjNlsxlRT7+i7gt8oWpLyTaCB
RusFkKqGrXM9PppzCWW9J0UnlEtBOnVGli5VMDzCeghCDa2DRUP/eB8Ub1zYiPtD
0DW4+lUkVio=
=nT/U
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SearchConfickerC.tgz
Type: application/x-gzip
Size: 150995 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20090410/1bf114c1/attachment-0001.bin>
More information about the nsp-security
mailing list