Snort mailing list archives

Previous By Date Next
Previous By Thread Next

W32 Welchia.Nachi?

From: Mark Gilbert <mark.vyner () extol com my>
Date: Tue, 06 Apr 2004 07:43:42 +0800
hi Larry;

  This was posted last year....thanks to Paul.


On Thu, 2003-11-06 at 01:39, Schmehl, Paul L wrote: 


Yesterday I posted a new version of my rule for this worm.  The rule
works with snort 2.0.2 or better and takes advantage of the new
thresholding keyword to eliminate "false positives".

After rereading the README.thresholding docs, I realized that I had not
really used the new thresholding rules in the best way.  I believe that
I now understand them better, so I'm posting this updated copy of the
rule:

# This rule is for tracking Welchia/Nachi infections
alert icmp $HOME_NET any -> any any (msg: "ALERT!!! NACHI Infection!!";\
 content: "|aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa\
 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa\
 aaaa aaaa aaaa aaaa aaaa|"; dsize:64; itype: 8; icode: 0; threshold:\
 type both, track by_src, count 1000, seconds 60;
classtype:trojan-activity;\
 sid: 10000008; rev: 4;)

The update that I posted yesterday used type "limit".  What that does is
limit the number of alerts that you see to the number that you specify
in "count".  But by using that type, you also see any hosts that are
under that limit, which means any hosts doing pings or tracerts will
trigger alerts as well.

By using type "both", the rule will now only trigger if a host generates
at least 1000 alerts in 60 seconds, and it will only trigger one alert
per minute.  This means that an infected host would trigger 60 alerts
per hour.  This should also completely eliminate "false positives"
caused by Windows hosts that are being used for doing pings or tracerts.
(So, if you want to detect hosts doing pings and tracerts, this rule
won't do that for you.)

If you want to detect infections coming from outside your network,
change "$HOME_NET" to "any".

My apologies for cluttering the lists.  I should have been more patient
before posting my update yesterday.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
Previous By Date Next
Previous By Thread Next

Current thread: