[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] BlackWorm technical information

To: "Valdis.Kletnieks@xxxxxx" <Valdis.Kletnieks@xxxxxx>
Subject: Re: [Full-disclosure] BlackWorm technical information
From: Mike Owen <kyphros@xxxxxxxxx>
Date: Tue, 24 Jan 2006 12:11:16 -0800

On 1/24/06, Valdis.Kletnieks@xxxxxx <Valdis.Kletnieks@xxxxxx> wrote:
> The *interesting* question is whether it's possible to use this to count
> the *actual* number of affected machines by excluding all the rubberneckers
> that are visiting the page and hitting "refresh" to see the numbers go up.
> Maybe by looking at the Referer or User-Agent values?
>
>

That's what the Snort rule looks for, a connection to that page
without a Referer: tag. Not perfect, but it works well enough.

Mike
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] BlackWorm technical information
  - From: Gadi Evron
- Re: [Full-disclosure] BlackWorm technical information
  - From: ad@xxxxxxxxxxxxxxxx
- Re: [Full-disclosure] BlackWorm technical information
  - From: Valdis . Kletnieks

Prev by Date: Re: [Full-disclosure] BlackWorm technical information
Next by Date: Re: [Full-disclosure] Urgent Alert: Possible BlackWorm DDay February3rd (Snort signatures included)
Previous by thread: Re: [Full-disclosure] BlackWorm technical information
Next by thread: [Full-disclosure] BlackWorm naming confusing [CME entry now available]
Index(es):
- Date
- Thread