[Snort-sigs] Loophole Server

Nigel Houghton nigel at ...435...
Tue Dec 21 11:47:24 EST 2004


On  0, Ron Jenkins <rjenkins at ...2938...> allegedly wrote:
>    Any ideas?

Well, you might start with looking at the intial connection beween
client and server. After that, the traffic is going to look pretty
normal probably. 

More general key indicators for this kind of thing would be
abnormally high rates of traffic flow between clients on your LAN and
home cable/dsl addresses. Other tools to address this might be more
useful.

I'm cc-ing the list since I didn't notice your earlier message didn't
go there too. Someone may already be working on this.

+-----------------------------------------------------------------+
    Nigel Houghton      Research Engineer       Sourcefire Inc.
                  Vulnerability Research Team

 Stewie: You know, I rather like this God fellow. Very theatrical, 
         you know. Pestilence here, a plague there. Omnipotence 
				 ...gotta get me some of that.




More information about the Snort-sigs mailing list