hi,
I am looking out for worm incident timestamps on any given host or network of
hosts. The log of timestamps could be anything from a bsm log to a tcpdump file.
I need things like the timestamp when the worm attacked the host, the time it
took to replicate to other hosts, timestamps when resourses were accessed on
the host. The worm could be any of the famous worms : slapper, code red,
ramen or any other famous worm.
Please also note that my interest is in worms ( programs that run on the host )
and not viruses ( which require human interaction for them to replicate ).

---

Clarification of Question by sharath78-ga on 05 Jan 2003 02:10 PST

As you can see,I am interested in finding out the timestamps when the worm
accessed the system resources as well as network connections to other hosts.
I guess such details would be hidden from router logs.
Similarly, I would expect the web server logs to only have the requests logged.
So if the worm attacked the host through a request, the activity performed on
the host ( like accessing password files, sending mails, changing permissions
on files, etc ) would not come up in webserver logs.
As such I am not particular about the actual logs as long have they have
information to this detail. I therefore mentioned bsm and tracedump logs ...
I just guessed that they have such detailed information. ( with the appropriate
logging level turned up ofcourse ). Its no problem if there is extra information
available ( hoping that i could parse the logs somehow to extract what i want ).

Any daemon running that uses logging and that will be victim of the
worm might be used, or better, its logs.
Tcpdump and general tcp wrappers will do if the worm travels the
network.
Example :
nimda worm could be traced in:
web server logs
IDS's logs
Traffice shapper logs
Routers Logs
Proxy Logs
AV Logs, 
the works.

What will it be ?