Snort mailing list archives
RE: welchia rule
From: "John Impallomeni" <John.Impallomeni () sunh com>
Date: Tue, 4 Nov 2003 14:33:44 -0700
I have used the Cyberkit 2.2 rule seems to pick up Welchia. I do get some false positives but if I get more than 20 alerts within a short time than I know that it is Welchia. John Impallomeni Systems Administrator Sun Healthcare Group (505) 468-6651 (505) 975-0061 Cel. john.impallomeni () sunh com Information contained in this e-mail and any attachments thereto is intended solely for use of the recipient(s) named above and may be privileged, confidential, and/or proprietary. If you are not the intended recipient, please do not read, distribute, or reproduce this transmission. You are advised that unauthorized use of this e-mail by any unintended recipient may be unlawful and could subject the user to civil damages and other penalties. If you have received this e-mail transmission in error, please notify the sender immediately by reply e-mail and then delete this e-mail. Thank you. -----Original Message----- From: Leonard Miller [mailto:Leonard.Miller () udlp com] Sent: Tuesday, November 04, 2003 1:39 PM To: snort-users () lists sourceforge net; dortega () uacj mx; Leonard Miller; pauls () utdallas edu Subject: RE: [Snort-users] welchia rule Would it matter if the payload was aaaaaaaaaaaaaaaaaaaa and not aaaa aaaa aaaa aaaa The reason I ask is that I saw on arachNIDS that the rule was a little different and picked up as CyberKit 2.2 Windows Thanks Leonard Automatically inserted lawyer supplied blurb follows
"Leonard Miller" <Leonard.Miller () udlp com> 11/04/03 12:10PM >>>
Hi, I just started using snort. In order to use this rule, do I just add that to the virus.rules file and enable the rule in snort.conf? If I should start with something a little more simple, let me know. Thanks Leonard Automatically inserted lawyer supplied blurb follows.
"Schmehl, Paul L" <pauls () utdallas edu> 11/04/03 10:44AM >>>-----Original Message----- From: David Omar Ortega Aranda [mailto:dortega () uacj mx] Sent: Monday, November 03, 2003 5:51 PM To: snort-users () lists sourceforge net Subject: [Snort-users] welchia rule Do any of you have a good working Welchia virus signature?
# This rule is for tracking Nachi infections alert icmp $HOME_NET any -> any any (msg: "ALERT!!! NACHI Infection!!"; content: "|aaaa aaaa aaaa\ aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa\ aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa|"; dsize:64; itype: 8; icode: 0; \ classtype:trojan-activity; sid: 10000008; rev: 1;) Paul Schmehl (pauls () utdallas edu) **********CONFIDENTIALITY NOTICE********** The information contained in this e-mail may be proprietary and/or privileged and is intended for the sole use of the individual or organization named above. If you are not the intended recipient or an authorized representative of the intended recipient, any review, copying or distribution of this e-mail and its attachments, if any, is prohibited. If you have received this e-mail in error, please notify the sender immediately by return e-mail and delete this message from your system. ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- welchia rule David Omar Ortega Aranda (Nov 04)
- <Possible follow-ups>
- RE: welchia rule Schmehl, Paul L (Nov 04)
- RE: welchia rule Leonard Miller (Nov 04)
- RE: welchia rule Schmehl, Paul L (Nov 04)
- RE: welchia rule Leonard Miller (Nov 04)
- RE: welchia rule John Impallomeni (Nov 04)
- RE: welchia rule Schmehl, Paul L (Nov 04)
- A tool like swatch Sir Fenix (Nov 06)
- Re: [Snort-sigs] A tool like swatch Matt Kettler (Nov 05)
- Re: Re: [Snort-sigs] A tool like swatch Edin Dizdarevic (Nov 05)
- Re: [Snort-sigs] A tool like swatch Sir Fenix (Nov 06)
- Re: A tool like swatch Jim Brown (Nov 08)
- A tool like swatch Sir Fenix (Nov 06)
- RE: welchia rule Schmehl, Paul L (Nov 04)
- RE: welchia rule Mark . Schutzmann (Nov 05)
- RE: welchia rule Schmehl, Paul L (Nov 05)