Richard.Smithat_private wrote: >If you see just the syn packet you are not going to match a signature >against Nimda or any other exploit for that matter because you have not >captured the packet. Thanks, Richard. Some of the others don't seem to have realized that's why I asked the question -- that, and because while CR and Nimda hits against all my other machines have tailed off to very low levels, the pressure against this one, of whatever sort, has remained constant. Also, I opened port 80, though I didn't set up a web-server, while running tcpdump, against the possibility that the blocking software might interfere with what I wanted to see. I wasn't clear about that in my original post, and I apologize. Marc: I checked the DNS entries, and at least our local DNS servers don't have errors in them. There are no web-server addresses which resolve to this box. Xno: Thanks for your explanation. I think that may be what's happening. The assymetry in hits is perhaps due to non-random generation of target IPs by whatever worm is responsible. Best regards, Neil Dickey, Ph.D. Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois 60115 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Sep 28 2001 - 13:44:32 PDT