[Snort-sigs] Quick Nachi ICMP rule

Johnathan Norman jnorman at ...1256...
Thu Aug 28 18:31:04 EDT 2003


Nachi payload is 62 bytes long....why did you use 64?

Johnathan Norman, SCNA,CCSP,ISSP
Network Security Analyst
Alert Logic, Inc.
jnorman at ...1256... / jnorman-pager at ...1256...
Office: 713-484-8383

On Fri, 22 Aug 2003, Paul Schmehl wrote:

> This rule seems to be catching every Nachi infection with no non-infected
> machines alerting as well.
>
> # This rule is for tracking Nachi infections
> alert icmp $HOME_NET any -> any any (msg: "ALERT!!! NACHI Infection!!";
> content: "|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|"; dsize:64; itype: 8; icode:
> 0; classtype:trojan-activity; sid: 10000008; rev: 1;)
>
> Paul Schmehl (pauls at ...1311...)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: VM Ware
> With VMware you can run multiple operating systems on a single machine.
> WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
> at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list