Snort mailing list archives
Re: Welchia/Nachi rule
From: "Gabriel L. Somlo" <somlo () acns colostate edu>
Date: Thu, 6 Nov 2003 15:33:54 -0700
From: "Schmehl, Paul L" <pauls () utdallas edu> Yesterday I posted a new version of my rule for this worm. The rule works with snort 2.0.2 or better and takes advantage of the new thresholding keyword to eliminate "false positives".
Paul, Thanks for posting the Welchia rule ! Here's a shell script I wrote to pull the culprits' IPs from the database. I cron'ed it to send me email every 24 hours, and then I turn around and harass the machines' owners :) Thought it might come in handy for other folks... #!/bin/bash # # list nachi events by source ip # Gabriel L. Somlo, 11/06/2003 # SIG="ALERT!!! NACHI Infection!!" # delete alerts after reporting DELETE="yes" # information required to connect to the database: DATABASE=snort USER=foo PASSWORD=bar # the mysql command line MYSQL="/usr/bin/mysql ${DATABASE} -u${USER} -p${PASSWORD}" # query for signature ID SIGQUERY="select sig_id from signature where sig_name = '${SIG}';\n" # get internal signature id SIGID=$(echo -e ${SIGQUERY} | ${MYSQL} | tail +2) # query for listing by source IP LISTQUERY="select distinct ip_src, count(acid_event.cid) from acid_event where signature=${SIGID} group by ip_src;\n" # process list query printf "%-15s %20s\n" "Source" "Approx. Packets" echo -e "${LISTQUERY}" | ${MYSQL} | tail +2 | while read IPNUM EVTC; do HX=$(echo "obase=16;${IPNUM}" | bc) IP=$(echo "ibase=16; print ${HX:0:2},\".\",${HX:2:2},\".\",${HX:4:2},\".\",${HX:6:2}" | bc) APPX_PCKTS=$(echo "${EVTC}*500" | bc) printf "%-15s %20d\n" ${IP} ${APPX_PCKTS} done | sort -t. -k1,1n -k2,2n -k3,3n -k4,4n # quit now if we don't want to delete them from the database if [ ! "${DELETE}" = "yes" ]; then exit 0 fi # query for deleting events DELQUERY="select sid, cid from event where signature = ${SIGID};\n" # process delete query echo -e ${DELQUERY} | ${MYSQL} | tail +2 | while read SID CID; do DELETE="delete from acid_ag_alert where ag_sid=${SID} and ag_cid=${CID};\n" for T in iphdr tcphdr udphdr icmphdr opt data event acid_event; do DELETE="${DELETE}delete from ${T} where sid=${SID} and cid=${CID};\n" done echo -e ${DELETE} | ${MYSQL} done Enjoy, Gabriel ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Welchia/Nachi rule Schmehl, Paul L (Nov 05)
- <Possible follow-ups>
- Re: Welchia/Nachi rule Gabriel L. Somlo (Nov 06)