Snort mailing list archives
RE: welchia rule, nachie and CyberKit 2.2
From: "Jason Truong" <JasonT () plumtree com>
Date: Tue, 4 Nov 2003 14:52:15 -0800
I guess I am a bit confused here. I have this Nachi rule in place: alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg: "ALERT!!! NACHI Infection!!"; content: "|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|"; dsize:64; itype: 8; icode: 0; classtype:trojan-activity; sid: 10000008; rev: 1;) It works great and does pick up Nachi when it sees it. However, I also see these alerts in Snort and Acid [**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**] [Classification: Misc activity] [Priority: 3] 11/04-14:40:35.833076 208.245.23.183 -> 10.1.140.12 ICMP TTL:117 TOS:0x0 ID:27649 IpLen:20 DgmLen:92 Type:8 Code:0 ID:512 Seq:21994 ECHO [Xref => http://www.whitehats.com/info/IDS154] Are these false alerts or is this something that is requires immediate attention to? I look a bit on the archived mailing lists and some people have mentioned that is alert is relative to the after effects of Nachi, Blaster and Welchia. Thanks and I hope that I am not the only confused here. Jason T. ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: welchia rule, nachie and CyberKit 2.2 Jason Truong (Nov 04)