Snort mailing list archives
W32 Welchia.Nachi?
From: Mark Gilbert <mark.vyner () extol com my>
Date: Tue, 06 Apr 2004 07:43:42 +0800
hi Larry; This was posted last year....thanks to Paul. On Thu, 2003-11-06 at 01:39, Schmehl, Paul L wrote:
Yesterday I posted a new version of my rule for this worm. The rule works with snort 2.0.2 or better and takes advantage of the new thresholding keyword to eliminate "false positives". After rereading the README.thresholding docs, I realized that I had not really used the new thresholding rules in the best way. I believe that I now understand them better, so I'm posting this updated copy of the rule: # This rule is for tracking Welchia/Nachi infections alert icmp $HOME_NET any -> any any (msg: "ALERT!!! NACHI Infection!!";\ content: "|aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa\ aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa\ aaaa aaaa aaaa aaaa aaaa|"; dsize:64; itype: 8; icode: 0; threshold:\ type both, track by_src, count 1000, seconds 60; classtype:trojan-activity;\ sid: 10000008; rev: 4;) The update that I posted yesterday used type "limit". What that does is limit the number of alerts that you see to the number that you specify in "count". But by using that type, you also see any hosts that are under that limit, which means any hosts doing pings or tracerts will trigger alerts as well. By using type "both", the rule will now only trigger if a host generates at least 1000 alerts in 60 seconds, and it will only trigger one alert per minute. This means that an infected host would trigger 60 alerts per hour. This should also completely eliminate "false positives" caused by Windows hosts that are being used for doing pings or tracerts. (So, if you want to detect hosts doing pings and tracerts, this rule won't do that for you.) If you want to detect infections coming from outside your network, change "$HOME_NET" to "any". My apologies for cluttering the lists. I should have been more patient before posting my update yesterday. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- W32 Welchia.Nachi? Wichman, Larry (Apr 05)
- W32 Welchia.Nachi? Mark Gilbert (Apr 05)