[Snort-sigs] Quick Nachi ICMP rule -variants?

Vincent Vono vincent.vono at ...1538...
Fri Aug 29 06:51:03 EDT 2003




We've also seem the same. Incremental scans as well as subnet broadcast
addresses. a.b.c.255, etc..



On Thu, 28 Aug 2003, Brian Howard wrote:

> Is anyone else seeing different patterns of attack?  I seem to see two
different
> patterns of behaviour, "bigtalkers" that go after everything, and a more
subtle
> variant that seems to use broadcast pings and only target machines that
answer.
> Unfortunately our network infrastructure guys are blocking icmp (not
before my
> snort database blew up) and my current database reflects that- have no
data prior
> (yet).  I now seem to see the few "bigtalkers" but a lot of selective
ones as well
> and the few alerts from our variant of the rule below that my sensors do
see seem
> to be destination->a.b.255.255 or a.b.c.255 with a few a.255.255.255
thrown in for
> good measure.
>

Yep! I am glad I am not the only one. Yesterday we had a user plug into
the network and we only logged scans to the local subnet and a few other
hosts.

Johnathan

> Johnathan Norman wrote:
>
> > Nevermind :)
> >
> > On Thu, 28 Aug 2003, Johnathan Norman wrote:
> >
> > > Nachi payload is 62 bytes long....why did you use 64?
> > >
> > > Johnathan Norman, SCNA,CCSP,ISSP
> > > Network Security Analyst
> > > Alert Logic, Inc.
> > > jnorman at ...1256... / jnorman-pager at ...1256...
> > > Office: 713-484-8383
> > >
> > > On Fri, 22 Aug 2003, Paul Schmehl wrote:
> > >
> > > > This rule seems to be catching every Nachi infection with no
non-infected
> > > > machines alerting as well.
> > > >
> > > > # This rule is for tracking Nachi infections
> > > > alert icmp $HOME_NET any -> any any (msg: "ALERT!!! NACHI
Infection!!";
> > > > content: "|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|"; dsize:64; itype: 8;
icode:
> > > > 0; classtype:trojan-activity; sid: 10000008; rev: 1;)
> > > >
> > > > Paul Schmehl (pauls at ...1311...)
> > > > Adjunct Information Security Officer
> > > > The University of Texas at Dallas
> > > > AVIEN Founding Member
> > > > http://www.utdallas.edu
> > > >
> > > >
> > > > -------------------------------------------------------
> > > > This SF.net email is sponsored by: VM Ware
> > > > With VMware you can run multiple operating systems on a single
machine.
> > > > WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
> > > > at the same time. Free trial click here:
http://www.vmware.com/wl/offer/358/0
> > > > _______________________________________________
> > > > Snort-sigs mailing list
> > > > Snort-sigs at lists.sourceforge.net
> > > > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > > >
> > >
> > >
> > > -------------------------------------------------------
> > > This sf.net email is sponsored by:ThinkGeek
> > > Welcome to geek heaven.
> > > http://thinkgeek.com/sf
> > > _______________________________________________
> > > Snort-sigs mailing list
> > > Snort-sigs at lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > >
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
>


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/snort-sigs




 ******************* PLEASE NOTE *******************
 This E-Mail/telefax message and any documents accompanying this
 transmission may contain privileged and/or confidential information and is
 intended solely for the addressee(s) named above.  If you are not the
 intended addressee/recipient, you are hereby notified that any use of,
 disclosure, copying, distribution, or reliance on the contents of this
 E-Mail/telefax information is strictly prohibited and may result in legal
 action against you. Please reply to the sender advising of the error in
 transmission and immediately delete/destroy the message and any
 accompanying documents.  Thank you.





More information about the Snort-sigs mailing list