virus/worms killing a network...
Volker Kindermann
fedora at secspace.de
Sun Aug 1 08:48:20 UTC 2004
Hi,
> The virus get into the user machine by e-mail from other ISPs. Thats
> noway i can block e-mail ports. I blocked ports TCP 4444,135,445 and
> UDP 69, known as ports that w32.blaster and others worms use to spread
> in the network. I really want to be able to scan every package that
> pass through the firewall and see from witch host its comming from.
> Ex: host-192.168.1.175 is sending strange packages that maybe a virus
> attack.
as somebody already suggested you should install the snort intrusion
detection system on the FC2 box (http://www.snort.org). Then you should
search for snort pattern files regarding these worms (some are included
in the standard packages, but perhaps not all you need).
It's also possible to configure snort such a way, that it acts as an
intrusion prevention system, that is it will cut a connection if it
detects some worm activity.
But be warned: it's not trivial to set up and run a network intrusion
detection/prevention system correctly. Depending on your current
knowledge you may have to learn a lot.
Especially if you configure it as an intrusion prevention system changes
are that you cut internet access for all machines by, e.g. blocking the
name servers.
-volker
More information about the users
mailing list