Snort mailing list archives

Re: Nachi false positives

From: Mark Nipper <nipsy () tamu edu>
Date: Wed, 29 Oct 2003 11:03:09 -0600

On 29 Oct 2003, Martin Jr., D. Michael wrote:

I have been using the rule I've seen out there for detecting the
Nachi/Welchi virus for some time with excellent results.  Lately, for
------------
Nachi/Welchi rule:

# Nachi Worm
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg: "ALERT!!! NACHI
Infection!!"; content: "|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|"; dsize:64;
itype: 8; icode: 0; classtype:trojan-activity; sid: 10000008; rev: 1;)


        I've been using the same rule here at TAMU and have had
reports of false positives with some really old version of Yahoo!
pager as well.  But it seemingly does not work as an application
anymore anyway, so we've just been telling people to uninstall it
and download the latest software from Yahoo! if they want to
chitty-chat with people.  So, as an additional aye,aye, I think
there are some false positives, but the benefit out weighs the
drawback(s) in my opinion of this particular rule.

        Incidentally, it also seemed like the qhost worm was
actually making use of the fact that Yahoo! pager was trying to
use a specific host name, and qhost (since it modifies DNS
settings) was giving Yahoo! pager a bogus IP address where the
client would receive a notification of updates via Yahoo! pager,
which would automatically download and install, what else but,
more worms!  :)  This was second-hand information but didn't
surprise me too much.  :)

-- 
Mark Nipper                                                e-contacts:
Computing and Information Services                      nipsy () tamu edu
Texas A&M University                        http://ops.tamu.edu/nipsy/
College Station, TX 77843-3142     AIM/Yahoo: texasnipsy ICQ: 66971617
(979)575-3193                                      MSN: nipsy () tamu edu

-----BEGIN GEEK CODE BLOCK-----
GG/IT d- s++:+ a- C++$ UBL+++$ P--->+++ L+++$ E---
W++ N+ o K++ w(---) O++ M V(--) PS+++(+) PE(--) Y+
PGP++(+) t 5 X R tv b+++ DI+(++) D+ G e h r++ y+(**)
------END GEEK CODE BLOCK------

---begin random quote of the moment---
I cannot tolerate intolerant people.
----end random quote of the moment----


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Nachi false positives Martin Jr., D. Michael (Oct 29)
- Re: Nachi false positives Mark Nipper (Oct 29)
- Re: Nachi false positives Paul Schmehl (Oct 29)
- <Possible follow-ups>
- RE: Nachi false positives Martin Jr., D. Michael (Oct 30)