[Snort-sigs] Quick Nachi ICMP rule

Johnathan Norman jnorman at ...1256...
Thu Aug 28 18:59:04 EDT 2003


Nevermind :)

On Thu, 28 Aug 2003, Johnathan Norman wrote:

> Nachi payload is 62 bytes long....why did you use 64?
>
> Johnathan Norman, SCNA,CCSP,ISSP
> Network Security Analyst
> Alert Logic, Inc.
> jnorman at ...1256... / jnorman-pager at ...1256...
> Office: 713-484-8383
>
> On Fri, 22 Aug 2003, Paul Schmehl wrote:
>
> > This rule seems to be catching every Nachi infection with no non-infected
> > machines alerting as well.
> >
> > # This rule is for tracking Nachi infections
> > alert icmp $HOME_NET any -> any any (msg: "ALERT!!! NACHI Infection!!";
> > content: "|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|"; dsize:64; itype: 8; icode:
> > 0; classtype:trojan-activity; sid: 10000008; rev: 1;)
> >
> > Paul Schmehl (pauls at ...1311...)
> > Adjunct Information Security Officer
> > The University of Texas at Dallas
> > AVIEN Founding Member
> > http://www.utdallas.edu
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by: VM Ware
> > With VMware you can run multiple operating systems on a single machine.
> > WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
> > at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list