Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
October 27, 2005, 8:23 am
rate this thread
Can anybody point me towards a database or tool which can help me get
the actual worm packets for Linux/its applications vulnerabilities. I
need a worm trace which I can replay to see whether my IDS can detect
the worm inside that traffice.
Any help in this matter would be highly appreciated.
Thanks in advance,
Re: Linux actual worm packets database/emulation tool?
Assuming you mean the ssh worm (which is the only one on-topic here):
stick a machine on the internet with an sshd running on port 22 and run
"tcpdump tcp port 22". You will get plenty of sample data.
The bulk of the traffic will be encrypted, so it's likely that the only
characteristics your IDS will see are a) the client software version is
usually "libssh-0.1" , the connections are usually short and there are many
of them from the same source.
 From my logs: 99.989% libssh-0.1, 0.011% "everything else" :-)
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
- » ssh on command line: force using a group size (prime size) of 1024 (and no...
- — Newest thread in » Secure Shell Forum