[nsp-sec] Netflow based detection of Conficker C
Peter Haag
peter.haag at switch.ch
Fri Apr 10 04:57:55 EDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
By mistake, I appended the wrong version. Please use the one appended.
Many thanks
- Peter
Peter Haag wrote:
> ----------- nsp-security Confidential --------
>
>
>
> ------------------------------------------------------------------------
>
> Hi Teams,
> Inspired by other work - a python Script and Silk plugins etc.
> were already sent to this list some days ago by other people,
> I'd like to contribute another flow based detection tool for
> ConfickerC - of course based on nfdump/NfSen :)
>
> Based on the article of CERT Lexsi:
> https://cert.lexsi.com/weblog/index.php/2009/03/31/294-confickerc-de-peer-en-peer
> ( destination IP/Port relation of conficker's P2P behavior )
>
> the appended tool search_conficker filters nfdump collected
> flows accordingly and prints potential infected hosts to stdout.
> The package also includes a small NfSen plugin for automatic
> runs every 5min. See the README file for all the details.
>
> For questions feel free to contact me.
>
> Happy hunting!
>
> - Peter
>
- ------------------------------------------------------------------------
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iQCVAwUBSd8KEP5AbZRALNr/AQIRmgP+Jf0Tgp0n9Htg9cKT67AzvVA+tfleQTw6
kaC0f5c0cHCgA6ezNP2qcmw6m88VzkNGPLx21mkJ9wIU+1iXnD88s2iznXEMogP2
AwS/KVca+SC3RkSA2IwoC17bXhaGioBdBSEubNc0wZuZJcviEZaP1R6CT0ZfR36z
ZYWTUdP5blc=
=xJQl
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SearchConfickerC.tgz
Type: application/x-gzip
Size: 150995 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20090410/3004cebf/attachment-0001.bin>
More information about the nsp-security
mailing list