Snort mailing list archives
RE: Cyberkit signature
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Fri, 22 Aug 2003 18:28:01 -0500
-----Original Message----- From: Andrew.Patrick () kemperservices com [mailto:Andrew.Patrick () kemperservices com] Sent: Friday, August 22, 2003 3:59 PM To: intrusions () incidents org; snort-users () lists sourceforge net Subject: Re: [Snort-users] Cyberkit signatureNachi puts out a 92 byte ICMP type 0 (echo request) packet with a 64 byte payload of "a"'s.Nachi sends out ICMP Type 8, Code 0 packets (echo request). Clients that answer it will be sending ICMP Type 0, Code 0 (echo reply). These replies WILL also have the string of "aaaaaaa" in the payload, but seeing a reply does not prove that the system replying is infected. Try to filter on the ICMP Type 8, Code 0 combo AND the "aaaaaa"s in the content...
Thanks, Patrick. I obviously misread the header info when I was analyzing those. Another doh! moment. I've modified the rule to look for "itype: 8; icode: 0;". Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Cyberkit signature djmurd (Aug 22)
- Re: Cyberkit signature Erek Adams (Aug 22)
- Re: Cyberkit signature Frank Knobbe (Aug 22)
- RE: Cyberkit signature Eric Hines (Sep 02)
- RE: Cyberkit signature Eric Hines (Sep 02)
- Re: Cyberkit signature Paul Schmehl (Aug 22)
- RE: Cyberkit signature Eric Greenberg (Aug 22)
- Re: Cyberkit signature Patrick Dolan (Aug 23)
- <Possible follow-ups>
- RE: Cyberkit signature Tony Bunce (Aug 22)
- RE: Cyberkit signature Schmehl, Paul L (Aug 22)
- RE: Cyberkit signature Paul Schmehl (Aug 22)
- RE: Cyberkit signature Tony Bunce (Aug 22)
- Re: Cyberkit signature Andrew . Patrick (Aug 25)
- RE: Cyberkit signature Smith, Donald (Aug 25)
- Re: Cyberkit signature Erek Adams (Aug 22)