Re: Cyberkit signature

[Paul Schmehl <pauls () utdallas edu>]

--On Thursday, August 21, 2003 10:46:37 AM -0400 djmurd () cox net wrote:

> Hey there - can any of you please point me to some reliable information
> that says the "cyberkit 2.2" signature is really the Nachia / Welchia
> worm?
>
> I need some more ammo in order to block ICMP for our network...

Here's a rule that detects Nachi ICMP traffic:
# This rule is for tracking Nachi infections
alert icmp $HOME_NET any -> any any (msg: "ALERT!!! NACHI Infection!!"; 
content: "|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|"; dsize:64; 
classtype:trojan-activity; sid: 10000008; rev: 1;)

Bear in mind that it will also pick up switches and routers that are 
handling the Nachi traffic, but you can separate out the infections because 
you'll have thousands of hits rather than one or two.

Nachi puts out a 92 byte ICMP type 0 (echo request) packet with a 64 byte 
payload of "a"'s.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu


-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users