Snort mailing list archives
Re: Nachi false positives
From: Mark Nipper <nipsy () tamu edu>
Date: Wed, 29 Oct 2003 11:03:09 -0600
On 29 Oct 2003, Martin Jr., D. Michael wrote:
I have been using the rule I've seen out there for detecting the Nachi/Welchi virus for some time with excellent results. Lately, for ------------ Nachi/Welchi rule: # Nachi Worm alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg: "ALERT!!! NACHI Infection!!"; content: "|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|"; dsize:64; itype: 8; icode: 0; classtype:trojan-activity; sid: 10000008; rev: 1;)
I've been using the same rule here at TAMU and have had reports of false positives with some really old version of Yahoo! pager as well. But it seemingly does not work as an application anymore anyway, so we've just been telling people to uninstall it and download the latest software from Yahoo! if they want to chitty-chat with people. So, as an additional aye,aye, I think there are some false positives, but the benefit out weighs the drawback(s) in my opinion of this particular rule. Incidentally, it also seemed like the qhost worm was actually making use of the fact that Yahoo! pager was trying to use a specific host name, and qhost (since it modifies DNS settings) was giving Yahoo! pager a bogus IP address where the client would receive a notification of updates via Yahoo! pager, which would automatically download and install, what else but, more worms! :) This was second-hand information but didn't surprise me too much. :) -- Mark Nipper e-contacts: Computing and Information Services nipsy () tamu edu Texas A&M University http://ops.tamu.edu/nipsy/ College Station, TX 77843-3142 AIM/Yahoo: texasnipsy ICQ: 66971617 (979)575-3193 MSN: nipsy () tamu edu -----BEGIN GEEK CODE BLOCK----- GG/IT d- s++:+ a- C++$ UBL+++$ P--->+++ L+++$ E--- W++ N+ o K++ w(---) O++ M V(--) PS+++(+) PE(--) Y+ PGP++(+) t 5 X R tv b+++ DI+(++) D+ G e h r++ y+(**) ------END GEEK CODE BLOCK------ ---begin random quote of the moment--- I cannot tolerate intolerant people. ----end random quote of the moment---- ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Nachi false positives Martin Jr., D. Michael (Oct 29)
- Re: Nachi false positives Mark Nipper (Oct 29)
- Re: Nachi false positives Paul Schmehl (Oct 29)
- <Possible follow-ups>
- RE: Nachi false positives Martin Jr., D. Michael (Oct 30)