Snort mailing list archives
RE: Cyberkit signature
From: "Eric Hines" <eric.hines () appliedwatch com>
Date: Sat, 30 Aug 2003 04:25:20 -0500
Erek, I've received over 4,000 of these in the past few hours.. It's definitely not ICMP PING Cyberkit 2.2 Windows traffic.. Which is what your Snort ruleset will identify it as. I've pasted a few packets below provided from our Applied Watch console. EVENT INFORMATION: Alert ID: 369762 Priority: 3 Timestamp: Sat Aug 30 04:24:02 CDT 2003 Signature ID: 483 Message: ICMP PING CyberKit 2.2 Windows IP HEADER INFORMATION: Ver: 4 Length: 92 Flags: 0 Checksum: 64097 Hlen: 5 ID: 55669 TTL: 115 Source IP: 66.168.141.28 TOS: 0 Offset: 0 Proto: 1 Dest IP: 66.167.97.94 ICMP PROTOCOL INFORMATION: Type: 8 Code: 0 Checksum: 27040 ID: 512 Sequence #: 14090 PAYLOAD INFORMATION: 4500 005c d975 0000 7301 fa61 42a8 8d1c 42a7 E..\.u..s..aB...B. 615e 0800 69a0 0200 370a aaaa aaaa aaaa aaaa a^..i...7......... aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa .................. aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa .................. aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa .................. aaaa .. NOTE INFORMATION: ==================================================================== Regards, Eric Hines CEO, Chairman =============================================== Eric Hines CEO, Chairman Applied Watch Technologies, Inc. eric.hines () appliedwatch com ----------------------------------------------- Corporate Headquarters 1650 Carlemont Dr. Suite D Crystal Lake, IL. 60014 ----------------------------------------------- Direct Toll Free: (877) 262-7593 (x327) Fax: (815) 425-2173 ----------------------------------------------- Main Switchboard: (877) 262-7593 (9am-5pm CST) Commercial Sales: (877) 262-7593 (opt1) Government Sales: (877) 262-7593 (opt2) =============================================== -----Original Message----- From: Erek Adams [mailto:erek () snort org] Sent: Friday, August 22, 2003 12:04 PM To: djmurd () cox net Cc: snort-users () lists sourceforge net; intrusions () incidents org Subject: Re: [Snort-users] Cyberkit signature On Thu, 21 Aug 2003 djmurd () cox net wrote:
Hey there - can any of you please point me to some reliable information that says the "cyberkit 2.2" signature is really the Nachia / Welchia worm?
Do you see a ton of them? Are they coming from Win32 based hosts? Then probably yes. :) I forget where, but there was a writeup that had a breakdown of the packets involved. IIRC, there was a particular set of bytes in the ping packet that you could trigger on.
I need some more ammo in order to block ICMP for our network...
Blocking ICMP is bad, M'kay? </Mr.MackeyVoice> You break MTU-Path discovery and a couple of other things. You can if you want, but it can wreak havoc on Solaris boxes if you're not careful. Consider blocking the ICMP echo request of only the size that the worm uses. It's something odd like 91 bytes I think... Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Cyberkit signature djmurd (Aug 22)
- Re: Cyberkit signature Erek Adams (Aug 22)
- Re: Cyberkit signature Frank Knobbe (Aug 22)
- RE: Cyberkit signature Eric Hines (Sep 02)
- RE: Cyberkit signature Eric Hines (Sep 02)
- Re: Cyberkit signature Paul Schmehl (Aug 22)
- RE: Cyberkit signature Eric Greenberg (Aug 22)
- Re: Cyberkit signature Patrick Dolan (Aug 23)
- <Possible follow-ups>
- RE: Cyberkit signature Tony Bunce (Aug 22)
- RE: Cyberkit signature Schmehl, Paul L (Aug 22)
- RE: Cyberkit signature Paul Schmehl (Aug 22)
- RE: Cyberkit signature Tony Bunce (Aug 22)
- Re: Cyberkit signature Andrew . Patrick (Aug 25)
- RE: Cyberkit signature Smith, Donald (Aug 25)
- Re: Cyberkit signature Erek Adams (Aug 22)