Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Nachi false positives

From: "Martin Jr., D. Michael" <martinm () montevallo edu>
Date: Wed, 29 Oct 2003 10:04:51 -0600
I have been using the rule I've seen out there for detecting the
Nachi/Welchi virus for some time with excellent results.  Lately, for
some reason, I have been getting what appear to be some false positives.
When I trace where the packet was going it goes to 207.188.7.125 which
tracks down to realcomlvs.real.com (Real Player).  Could this be a
natural byproduct of RealPlayer?  Any ideas?

Thanks,

Michael Martin
University of Montevallo
------------
Nachi/Welchi rule:

# Nachi Worm
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg: "ALERT!!! NACHI
Infection!!"; content: "|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|"; dsize:64;
itype: 8; icode: 0; classtype:trojan-activity; sid: 10000008; rev: 1;)

-------------
Detection alert/packet:

[**] ALERT!!! NACHI Infection!! [**]
10/29-08:06:16.810618 0:4:76:B7:BB:B -> 0:5:32:DD:B3:FF type:0x800
len:0x6A
10.0.8.227 -> 207.188.7.125 ICMP TTL:1 TOS:0x0 ID:815 IpLen:20 DgmLen:92
Type:8  Code:0  ID:512   Seq:2816  ECHO
0x0000: 00 05 32 DD B3 FF 00 04 76 B7 BB 0B 08 00 45 00
..2.....v.....E.
0x0010: 00 5C 03 2F 00 00 01 01 CC 56 0A 00 08 E3 CF BC
.\./.....V......
0x0020: 07 7D 08 00 95 AA 02 00 0B 00 AA AA AA AA AA AA
.}..............
0x0030: AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA
................
0x0040: AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA
................
0x0050: AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA
................
0x0060: AA AA AA AA AA AA AA AA AA AA                    ..........

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: