RE: Cyberkit signature

["Schmehl, Paul L" <pauls () utdallas edu>]

> -----Original Message-----
> From: Andrew.Patrick () kemperservices com 
> [mailto:Andrew.Patrick () kemperservices com] 
> Sent: Friday, August 22, 2003 3:59 PM
> To: intrusions () incidents org; snort-users () lists sourceforge net
> Subject: Re: [Snort-users] Cyberkit signature
>
>
>
> > Nachi puts out a 92 byte ICMP type 0 (echo request) packet with a 64 
> > byte payload of "a"'s.
>
> Nachi sends out ICMP Type 8, Code 0 packets (echo request).  
> Clients that answer it will be sending ICMP Type 0, Code 0 
> (echo reply).  These replies WILL also have the string of 
> "aaaaaaa" in the payload, but seeing a reply does not prove 
> that the system replying is infected.  Try to filter on the 
> ICMP Type 8, Code 0 combo AND the "aaaaaa"s in the content...

Thanks, Patrick.  I obviously misread the header info when I was
analyzing those.  Another doh! moment.

I've modified the rule to look for "itype: 8; icode: 0;".

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 


-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users