Snort mailing list archives
RE: Cyberkit signature
From: "Smith, Donald" <Donald.Smith () qwest com>
Date: Fri, 22 Aug 2003 11:13:25 -0600
For those of you with out full packet IDS's. A 92 byte ICMP echo request is a pretty good signature;-) Donald.Smith () qwest com GCIA http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC If !(got packets) then (headers_will_have_2_do == 1)
-----Original Message----- From: Patrick Dolan [mailto:dolan () cc admin unt edu] Sent: Friday, August 22, 2003 10:15 AM To: djmurd () cox net; snort-users () lists sourceforge net; intrusions () incidents org Subject: Re: [Snort-users] Cyberkit signature The signature for the Cyberkit ping looks for an ICMP ping packet with hex AA characters as the payload. alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING CyberKit 2.2 Windows"; content:"|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|";itype:8;depth:32; reference:arachnids,154; sid:483; classtype:misc-activity; rev:2;) This conveniently is also the payload of the Nachi worm's ping: 0000 00 02 b3 98 eb 43 00 04 c0 f8 29 e4 08 00 45 00 .....C.. ..)...E. 0010 00 5c 5c c1 00 00 7f 01 da 5b 81 78 ca 5e 81 78 .\\..... .[.x.^.x 0020 37 35 08 00 a1 73 02 00 ff 36 aa aa aa aa aa aa 75...s.. .6...... 0030 aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa ........ ........ 0040 aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa ........ ........ 0050 aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa ........ ........ 0060 aa aa aa aa aa aa aa aa aa aa ........ .. On Thursday 21 August 2003 09:46 am, djmurd () cox net wrote:Hey there - can any of you please point me to some reliableinformationthat says the "cyberkit 2.2" signature is really the Nachia/ Welchia worm?I need some more ammo in order to block ICMP for our network... thanks - djm Don Murdoch, Systems Engineer ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on asingle machine.WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Patrick Dolan UNT Information Security PGP ID: E5571154 Primary key fingerprint: 5681 25E4 6BE6 298E 9CF0 6F8D B13B 2456 E557 1154
------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Cyberkit signature, (continued)
- RE: Cyberkit signature Eric Hines (Sep 02)
- RE: Cyberkit signature Eric Hines (Sep 02)
- Re: Cyberkit signature Paul Schmehl (Aug 22)
- RE: Cyberkit signature Eric Greenberg (Aug 22)
- Re: Cyberkit signature Patrick Dolan (Aug 23)
- RE: Cyberkit signature Tony Bunce (Aug 22)
- RE: Cyberkit signature Schmehl, Paul L (Aug 22)
- RE: Cyberkit signature Paul Schmehl (Aug 22)
- RE: Cyberkit signature Tony Bunce (Aug 22)
- Re: Cyberkit signature Andrew . Patrick (Aug 25)
- RE: Cyberkit signature Smith, Donald (Aug 25)