Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: welchia rule, nachie and CyberKit 2.2

From: "Jason Truong" <JasonT () plumtree com>
Date: Tue, 4 Nov 2003 14:52:15 -0800

I guess I am a bit confused here.  I have this Nachi rule in place:

alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg: "ALERT!!! NACHI Infection!!"; content: 
"|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|"; dsize:64; itype: 8; icode: 0; classtype:trojan-activity; sid: 10000008; rev: 1;)

It works great and does pick up Nachi when it sees it.
However, I also see these alerts in Snort and Acid

[**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**]
[Classification: Misc activity] [Priority: 3]
11/04-14:40:35.833076 208.245.23.183 -> 10.1.140.12
ICMP TTL:117 TOS:0x0 ID:27649 IpLen:20 DgmLen:92
Type:8  Code:0  ID:512   Seq:21994  ECHO
[Xref => http://www.whitehats.com/info/IDS154]

Are these false alerts or is this something that is requires immediate attention to?  I look a bit on the archived 
mailing lists and some people have mentioned that is alert is relative to the after effects of Nachi, Blaster and 
Welchia.

Thanks and I hope that I am not the only confused here.

Jason T.


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: