[Snort-sigs] Quick Nachi ICMP rule

Paul Schmehl pauls at ...1311...
Fri Aug 22 17:51:02 EDT 2003


This rule seems to be catching every Nachi infection with no non-infected 
machines alerting as well.

# This rule is for tracking Nachi infections
alert icmp $HOME_NET any -> any any (msg: "ALERT!!! NACHI Infection!!"; 
content: "|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|"; dsize:64; itype: 8; icode: 
0; classtype:trojan-activity; sid: 10000008; rev: 1;)

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu




More information about the Snort-sigs mailing list