RE: welchia rule

["Schmehl, Paul L" <pauls () utdallas edu>]

> -----Original Message-----
> From: Leonard Miller [mailto:Leonard.Miller () udlp com] 
> Sent: Tuesday, November 04, 2003 2:39 PM
> To: snort-users () lists sourceforge net; dortega () uacj mx; 
> Leonard Miller; Schmehl, Paul L
> Subject: RE: [Snort-users] welchia rule
>
> Would it matter if the payload was aaaaaaaaaaaaaaaaaaaa
> and not aaaa aaaa aaaa aaaa 
> The reason I ask is that I saw on arachNIDS that the rule was 
> a little different and picked up as CyberKit 2.2 Windows

Not really.  It's just convention to separate them that way.  It makes
it easier to read the hex when it varies.

BTW, I just upgraded a snort box to 2.0.2 and edited the rule to include
thresholding.  It's working great and appears to have eliminated all
"false positives", AFAICT.

Here it is:

# This rule is for tracking Nachi infections
alert icmp $HOME_NET any -> any any (msg: "ALERT!!! NACHI Infection!!";\
 content: "|aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa\
 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa\
 aaaa aaaa aaaa aaaa aaaa|"; dsize:64; itype: 8; icode: 0; threshold:\
 type limit, track by_src, count 500, seconds 60;
classtype:trojan-activity;\
 sid: 10000008; rev: 2;)

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users