Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Cyberkit signature

From: "Tony Bunce" <tonyb () go-concepts com>
Date: Fri, 22 Aug 2003 13:42:41 -0400
http://www.cisco.com/warp/public/707/cisco-sn-20030820-nachi.shtml

explains how to block the Nachia ICMP request

92byes in size, content is all AA

Thanks,
Tony B, CCNA, Network+
Systems Administration
GO Concepts, Inc. / www.go-concepts.com
Are you on the GO yet?
What about those you know, are they on the GO?
513.934.2800
1.888.ON.GO.YET


-----Original Message-----
From: Erek Adams [mailto:erek () snort org] 
Sent: Friday, August 22, 2003 1:04 PM
To: djmurd () cox net
Cc: snort-users () lists sourceforge net; intrusions () incidents org
Subject: Re: [Snort-users] Cyberkit signature

On Thu, 21 Aug 2003 djmurd () cox net wrote:


Hey there - can any of you please point me to some reliable

information

that says the "cyberkit 2.2" signature is really the Nachia / Welchia
worm?


Do you see a ton of them?  Are they coming from Win32 based hosts?  Then
probably yes.  :)  I forget where, but there was a writeup that had a
breakdown of the packets involved.  IIRC, there was a particular set of
bytes in the ping packet that you could trigger on.


I need some more ammo in order to block ICMP for our network...


Blocking ICMP is bad, M'kay?  </Mr.MackeyVoice>

You break MTU-Path discovery and a couple of other things.  You can if
you
want, but it can wreak havoc on Solaris boxes if you're not careful.
Consider blocking the ICMP echo request of only the size that the worm
uses.  It's something odd like 91 bytes I think...

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click
here:http://www.vmware.com/wl/offer/358/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: