Counterpane has begun testing vulnerable systems for evidence of the PROTOS tool in use. So far, we've learned that snmpdx will produce the following message >after< a crafted packet has caused problems: Feb 12 23:25:48 mordor snmpdx: agent snmpd not responding Feb 13 00:03:24 mordor snmpdx: agent snmpd not responding We are continuing testing and will publish forensic evidence on the Log Analysis Web site as we collect it. Contributions gratefully accepted, too. I will follow this up with a list of IDS signatures that are specific to the PROTOS tool. Tina Bird Log Analysis: http://www.counterpane.com/log-analysis.html ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Feb 13 2002 - 14:36:22 PST