[Snort-sigs] Quick Nachi ICMP rule
pauls at ...1311...
Fri Aug 22 17:51:02 EDT 2003
This rule seems to be catching every Nachi infection with no non-infected
machines alerting as well.
# This rule is for tracking Nachi infections
alert icmp $HOME_NET any -> any any (msg: "ALERT!!! NACHI Infection!!";
content: "|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|"; dsize:64; itype: 8; icode:
0; classtype:trojan-activity; sid: 10000008; rev: 1;)
Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
More information about the Snort-sigs