[Snort-users] mirkforce IRC attack

Stuart Staniford stuart at ...155...
Fri Mar 9 16:38:56 EST 2001


Yonah Russ wrote:
> 
> On Thu, 8 Mar 2001, Andrew Daviel wrote:
> 
> > Just found an IRC attack tool "mirkforce" (see eg.
> > http://hackreport.magicnet.org/)
> >
> > This is a bitch to find unless you have ARP logs, since the
> > hacked machine does not use its own ip to connect to the target
> 
> This is true- I posted a question about integrating arpwatch into snort a
> while back for this exact reason. Luckily an IRC op contacted us quickly
> with a list of IP's which were obviously stolen so we knew what direction
> to head in.

We (Silicon Defense) are working on a plugin that will watch IP/arp
mappings and squeal when it things bad things are happening.

Stuart.

-- 
Stuart Staniford  ---  President  ---  Silicon Defense
stuart at ...155...  http://www.silicondefense.com/
(707) 445-4355                     (707) 445-4222 (FAX)




More information about the Snort-users mailing list