Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Welchia/Nachi rule

From: "Gabriel L. Somlo" <somlo () acns colostate edu>
Date: Thu, 6 Nov 2003 15:33:54 -0700
From: "Schmehl, Paul L" <pauls () utdallas edu>

Yesterday I posted a new version of my rule for this worm.  The rule
works with snort 2.0.2 or better and takes advantage of the new
thresholding keyword to eliminate "false positives".


Paul,

Thanks for posting the Welchia rule !

Here's a shell script I wrote to pull the culprits' IPs from the
database. I cron'ed it to send me email every 24 hours, and then I
turn around and harass the machines' owners :)

Thought it might come in handy for other folks...


#!/bin/bash
#
# list nachi events by source ip
# Gabriel L. Somlo, 11/06/2003
#

SIG="ALERT!!! NACHI Infection!!"

# delete alerts after reporting
DELETE="yes"

# information required to connect to the database:
DATABASE=snort
USER=foo
PASSWORD=bar

# the mysql command line
MYSQL="/usr/bin/mysql ${DATABASE} -u${USER} -p${PASSWORD}"

# query for signature ID
SIGQUERY="select sig_id from signature where sig_name = '${SIG}';\n"

# get internal signature id
SIGID=$(echo -e ${SIGQUERY} | ${MYSQL} | tail +2)

# query for listing by source IP
LISTQUERY="select distinct ip_src, count(acid_event.cid) from acid_event where signature=${SIGID} group by ip_src;\n"

# process list query
printf "%-15s %20s\n" "Source" "Approx. Packets"
echo -e "${LISTQUERY}" | ${MYSQL} | tail +2 | while read IPNUM EVTC; do
  HX=$(echo "obase=16;${IPNUM}" | bc)
  IP=$(echo "ibase=16; print ${HX:0:2},\".\",${HX:2:2},\".\",${HX:4:2},\".\",${HX:6:2}" | bc)
  APPX_PCKTS=$(echo "${EVTC}*500" | bc)
  printf "%-15s %20d\n" ${IP} ${APPX_PCKTS}
done | sort -t. -k1,1n -k2,2n -k3,3n -k4,4n

# quit now if we don't want to delete them from the database
if [ ! "${DELETE}" = "yes" ]; then
  exit 0
fi

# query for deleting events
DELQUERY="select sid, cid from event where signature = ${SIGID};\n"
# process delete query
echo -e ${DELQUERY} | ${MYSQL} | tail +2 | while read SID CID; do
  DELETE="delete from acid_ag_alert where ag_sid=${SID} and ag_cid=${CID};\n"
  for T in iphdr tcphdr udphdr icmphdr opt data event acid_event; do
    DELETE="${DELETE}delete from ${T} where sid=${SID} and cid=${CID};\n"
  done
  echo -e ${DELETE} | ${MYSQL}
done


Enjoy,

Gabriel


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: