NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Snort IDS> 2004-01

Re: [Snort-users] SUMMARY, CyberKit 2.2 Ping, its driven me Nuts..

From: Paul Schmehl (paulsutdallas.edu)
Date: Sat Jan 03 2004 - 19:09:53 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

----- Original Message -----
From: "Jim Brown" <jpbsixshooter.v6.thrupoint.net>
To: <snort-userslists.sourceforge.net>
Sent: Saturday, January 03, 2004 6:10 PM
Subject: Re: [Snort-users] SUMMARY, CyberKit 2.2 Ping, its driven me Nuts..
>
> I'm curious about your threshold count of 1000 per minute. I've only
> seen activity on the order of 12-15 messages/second on a 'blast'
> with several seconds between blasts. This wouldn't get me to
> 1000 in one minute for most minutes.
>
It's an arbitrary number chosen by me to ensure that it would eliminate
traffic from boxes that are not infected with Nachi. The Nachi packet is
identical to a Windows ping or traceroute (tracert) because Nachi uses the
built-in program that comes with Windows. So, if you're looking for Nachi
and *only* Nachi, you want to eliminate any other causes (at least I do.)

> What are your stats? Are you seeing more than 15 messages/second?

A box infected with Nachi will generate between 100,000 and 250,000 alerts
an hour without thresholding using this rule. Simple math tells you that an
infected machine should generate a minimum of 1667 alerts per minute. So I
set the count to 1000 for fudge factor. I've had *plenty* of experience
with Nachi infections, so I'm quite familiar with its behavior.

Paul Schmehl (paulsutdallas.edu)
Adjunct Information Security Officer
University of Texas at Dallas
http://www.utdallas.edu/ir/

-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]