Snort mailing list archives
RE: welchia rule
From: Mark.Schutzmann () Omron com
Date: Wed, 5 Nov 2003 09:54:49 -0600
Paul,
This is an excellent rule- I also immediately detected a couple of rogue
computers. Thanks for sharing. Is there a way to (or how did you) determine
how many packets/hits per second/minute that an event is triggering the
snort rule?
Thanks,
Mark
"Schmehl, Paul L"
<pauls () utdallas edu> To: "Leonard Miller" <Leonard.Miller () udlp com>,
Sent by: <snort-users () lists sourceforge net>, <dortega () uacj mx>
snort-users-admin () lists sour cc:
ceforge.net Subject: RE: [Snort-users] welchia rule
11/04/2003 04:11 PM
-----Original Message----- From: Leonard Miller [mailto:Leonard.Miller () udlp com] Sent: Tuesday, November 04, 2003 2:39 PM To: snort-users () lists sourceforge net; dortega () uacj mx; Leonard Miller; Schmehl, Paul L Subject: RE: [Snort-users] welchia rule Would it matter if the payload was aaaaaaaaaaaaaaaaaaaa and not aaaa aaaa aaaa aaaa The reason I ask is that I saw on arachNIDS that the rule was a little different and picked up as CyberKit 2.2 Windows
No sooner did I send the updated rule and I began to see some alerts for non-infected boxes, so I upped the "count" value to 1000. An infected box will generate 2500 alerts a minute or more, so it could be moved higher. I'm just trying to be conservative. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: welchia rule, (continued)
- RE: welchia rule Schmehl, Paul L (Nov 04)
- RE: welchia rule Leonard Miller (Nov 04)
- RE: welchia rule John Impallomeni (Nov 04)
- RE: welchia rule Schmehl, Paul L (Nov 04)
- A tool like swatch Sir Fenix (Nov 06)
- Re: [Snort-sigs] A tool like swatch Matt Kettler (Nov 05)
- Re: Re: [Snort-sigs] A tool like swatch Edin Dizdarevic (Nov 05)
- Re: [Snort-sigs] A tool like swatch Sir Fenix (Nov 06)
- Re: A tool like swatch Jim Brown (Nov 08)
- A tool like swatch Sir Fenix (Nov 06)
- RE: welchia rule Schmehl, Paul L (Nov 04)
- RE: welchia rule Mark . Schutzmann (Nov 05)
- RE: welchia rule Schmehl, Paul L (Nov 05)