Snort mailing list archives
Re: Cyberkit signature
From: Paul Schmehl <pauls () utdallas edu>
Date: Fri, 22 Aug 2003 15:29:22 -0500
--On Thursday, August 21, 2003 10:46:37 AM -0400 djmurd () cox net wrote:
Hey there - can any of you please point me to some reliable information that says the "cyberkit 2.2" signature is really the Nachia / Welchia worm? I need some more ammo in order to block ICMP for our network...
Here's a rule that detects Nachi ICMP traffic: # This rule is for tracking Nachi infectionsalert icmp $HOME_NET any -> any any (msg: "ALERT!!! NACHI Infection!!"; content: "|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|"; dsize:64; classtype:trojan-activity; sid: 10000008; rev: 1;)
Bear in mind that it will also pick up switches and routers that are handling the Nachi traffic, but you can separate out the infections because you'll have thousands of hits rather than one or two.
Nachi puts out a 92 byte ICMP type 0 (echo request) packet with a 64 byte payload of "a"'s.
Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Cyberkit signature djmurd (Aug 22)
- Re: Cyberkit signature Erek Adams (Aug 22)
- Re: Cyberkit signature Frank Knobbe (Aug 22)
- RE: Cyberkit signature Eric Hines (Sep 02)
- RE: Cyberkit signature Eric Hines (Sep 02)
- Re: Cyberkit signature Paul Schmehl (Aug 22)
- RE: Cyberkit signature Eric Greenberg (Aug 22)
- Re: Cyberkit signature Patrick Dolan (Aug 23)
- <Possible follow-ups>
- RE: Cyberkit signature Tony Bunce (Aug 22)
- RE: Cyberkit signature Schmehl, Paul L (Aug 22)
- RE: Cyberkit signature Paul Schmehl (Aug 22)
- RE: Cyberkit signature Tony Bunce (Aug 22)
- Re: Cyberkit signature Andrew . Patrick (Aug 25)
- RE: Cyberkit signature Smith, Donald (Aug 25)
- Re: Cyberkit signature Erek Adams (Aug 22)