Linux actual worm packets database/emulation tool?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Can anybody point me towards a database or tool which can help me get
the actual worm packets for Linux/its applications vulnerabilities. I
need a worm trace which I can replay to see whether my IDS can detect
the worm inside that traffice.

Any help in this matter would be highly appreciated.

Thanks in advance,

Re: Linux actual worm packets database/emulation tool?

Quoted text here. Click to load it

Assuming you mean the ssh worm (which is the only one on-topic here):
stick a machine on the internet with an sshd running on port 22 and run
"tcpdump tcp port 22".  You will get plenty of sample data.

The bulk of the traffic will be encrypted, so it's likely that the only
characteristics your IDS will see are a) the client software version is
usually "libssh-0.1" [1], the connections are usually short and there are many
of them from the same source.

[1] From my logs: 99.989% libssh-0.1, 0.011% "everything else" :-)

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Site Timeline