Snort mailing list archives

Re: Nachi false positives

From: Paul Schmehl <pauls () utdallas edu>
Date: Wed, 29 Oct 2003 20:52:03 -0600

--On Wednesday, October 29, 2003 10:04 AM -0600 "Martin Jr., D. Michael"<martinm () montevallo edu> wrote:

I have been using the rule I've seen out there for detecting the
Nachi/Welchi virus for some time with excellent results.  Lately, for
some reason, I have been getting what appear to be some false positives.
When I trace where the packet was going it goes to 207.188.7.125 which
tracks down to realcomlvs.real.com (Real Player).  Could this be a
natural byproduct of RealPlayer?  Any ideas?

I wrote that rule, and I've been getting "false positives" with it allalong. The reason for that is that Nachi uses the built-in ping functionof Windows, so many things could trigger it. The difference between an fpand an infection is obvious, however, because infections will generatepackets at a very high rate, on the order of 150,000 to 250,000 per hour.

If you're using snort 2.02, you could write some thresholding bits into therule that would fix those. I'm still on 2.0 (hopefully not much longer,just too darn many fires to put out), so I haven't fiddled with it yet.I'm not real familiar with the thresholding rules yet, but I suspectsomething on the order of 500 alerts in 60 seconds would eliminateeverything but infections.

It looks like you could add "threshold: type limit, track by_src, count500, seconds 60;" added to the rule might suppress everything but realinfections. You could probably lower count to 250 and still not get anyfps. (A "normal" infection would generate around 2500 alerts a minute ormore.)


Erek, correct me if I'm wrong on the syntax.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Nachi false positives Martin Jr., D. Michael (Oct 29)
- Re: Nachi false positives Mark Nipper (Oct 29)
- Re: Nachi false positives Paul Schmehl (Oct 29)
- <Possible follow-ups>
- RE: Nachi false positives Martin Jr., D. Michael (Oct 30)