|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Snort-users] SUMMARY, CyberKit 2.2 Ping, its driven me Nuts..
From: Jim Brown (jpb
sixshooter.v6.thrupoint.net)
Date: Sat Jan 03 2004 - 18:10:46 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
* Paul Schmehl <paulsutdallas.edu> [2004-01-01 01:11]:
> ----- Original Message -----
> From: "Jeff Kell" <jeff-kellutc.edu>
> To: "Brice B" <nestaiceburg.net>
> Cc: <chris.northroppo.state.ct.us>; <snort-userslists.sourceforge.net>
> Sent: Wednesday, December 31, 2003 8:38 PM
> Subject: Re: [Snort-users] SUMMARY, CyberKit 2.2 Ping, its driven me Nuts..
> >
> > Can anyone verify the [non]existance of a difference between the
> > Cyberkit and Nachi pings? Not having Cyberkit myself, I can only
> > address Nachi. The frame is 106 bytes on the wire, 92 bytes in the IP
> > packet, and 64 bytes of 0xaa in the ICMP data payload.
> >
> > If Cyberkit is anything but 64 bytes of 0xaa payload, perhaps a new,
> > Nachi-specific rule is called for.
> >
> Here's the rule I wrote, which I've posted to the list several times. It
> uses thresholding and triggers one alert per minute. If you get *any*
> alerts with this rule, I *guarantee* you it's a machine infected with Nachi
> or a new variant of Nachi.
>
> # This rule is for tracking Nachi infections
> alert icmp $HOME_NET any -> any any (msg: "ALERT!!! NACHI Infection!!";
> content: "|aaaa aaaa aaaa aaaa aaaa aaaa aaaa aa
> aa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
> aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa|";
> dsize:64; itype: 8; icode: 0; threshold: type both, track by_src, count
> 1000, seconds 60; classtype:trojan-activity; si
> d: 10000008; rev: 4;)
>
> The usual rules apply. This must be either all on one line or properly
> "escaped", so you'll have to fix it if you copy and paste. Note that this
> rule *only* triggers for internal infections, *not* for infected machines on
> $EXTERNAL_NET, so you need to edit it appropriately for what you are looking
> for on your network. I.e. change $HOME_NET to any if you want to catch
> *all* infections or $EXTERNAL_NET if you want to catch *incoming*
> infections.
>
> Paul Schmehl (paulsutdallas.edu)
> Adjunct Information Security Officer
> University of Texas at Dallas
> http://www.utdallas.edu/ir/
I'm curious about your threshold count of 1000 per minute. I've only
seen activity on the order of 12-15 messages/second on a 'blast'
with several seconds between blasts. This wouldn't get me to
1000 in one minute for most minutes.
What are your stats? Are you seeing more than 15 messages/second?
Best Regards,
jpb
===
-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]