[Snort-sigs] Quick Nachi ICMP rule -variants?

Brian Howard drivah at ...1821...
Thu Aug 28 21:42:05 EDT 2003


Is anyone else seeing different patterns of attack?  I seem to see two different
patterns of behaviour, "bigtalkers" that go after everything, and a more subtle
variant that seems to use broadcast pings and only target machines that answer.
Unfortunately our network infrastructure guys are blocking icmp (not before my
snort database blew up) and my current database reflects that- have no data prior
(yet).  I now seem to see the few "bigtalkers" but a lot of selective ones as well
and the few alerts from our variant of the rule below that my sensors do see seem
to be destination->a.b.255.255 or a.b.c.255 with a few a.255.255.255 thrown in for
good measure.

Johnathan Norman wrote:

> Nevermind :)
>
> On Thu, 28 Aug 2003, Johnathan Norman wrote:
>
> > Nachi payload is 62 bytes long....why did you use 64?
> >
> > Johnathan Norman, SCNA,CCSP,ISSP
> > Network Security Analyst
> > Alert Logic, Inc.
> > jnorman at ...1256... / jnorman-pager at ...1256...
> > Office: 713-484-8383
> >
> > On Fri, 22 Aug 2003, Paul Schmehl wrote:
> >
> > > This rule seems to be catching every Nachi infection with no non-infected
> > > machines alerting as well.
> > >
> > > # This rule is for tracking Nachi infections
> > > alert icmp $HOME_NET any -> any any (msg: "ALERT!!! NACHI Infection!!";
> > > content: "|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|"; dsize:64; itype: 8; icode:
> > > 0; classtype:trojan-activity; sid: 10000008; rev: 1;)
> > >
> > > Paul Schmehl (pauls at ...1311...)
> > > Adjunct Information Security Officer
> > > The University of Texas at Dallas
> > > AVIEN Founding Member
> > > http://www.utdallas.edu
> > >
> > >
> > > -------------------------------------------------------
> > > This SF.net email is sponsored by: VM Ware
> > > With VMware you can run multiple operating systems on a single machine.
> > > WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
> > > at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
> > > _______________________________________________
> > > Snort-sigs mailing list
> > > Snort-sigs at lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > >
> >
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs





More information about the Snort-sigs mailing list