[Snort-users] mirkforce IRC attack
stuart at ...155...
Fri Mar 9 16:38:56 EST 2001
Yonah Russ wrote:
> On Thu, 8 Mar 2001, Andrew Daviel wrote:
> > Just found an IRC attack tool "mirkforce" (see eg.
> > http://hackreport.magicnet.org/)
> > This is a bitch to find unless you have ARP logs, since the
> > hacked machine does not use its own ip to connect to the target
> This is true- I posted a question about integrating arpwatch into snort a
> while back for this exact reason. Luckily an IRC op contacted us quickly
> with a list of IP's which were obviously stolen so we knew what direction
> to head in.
We (Silicon Defense) are working on a plugin that will watch IP/arp
mappings and squeal when it things bad things are happening.
Stuart Staniford --- President --- Silicon Defense
stuart at ...155... http://www.silicondefense.com/
(707) 445-4355 (707) 445-4222 (FAX)
More information about the Snort-users