[Snort-sigs] ARP scan

Mark Nipper nipsy at ...1371...
Mon Oct 6 08:38:09 EDT 2003

On 06 Oct 2003, Martin Jr., D. Michael wrote:
> The IP range and subnet mask is:
> 192.168.XXX.XXX, Mask:
> This people are probably infected with the Nachi virus.  In any event, I need to know who is sending out this info.

	I'm not sure about the MAC address, but all of our Nachi
infected hosts actually show up as:
[**] Possible NACHI Infection [**]
10/06-10:30:27.434262 x.x.10.54 -> x.x.198.118
ICMP TTL:128 TOS:0x0 ID:58167 IpLen:20 DgmLen:92
Type:8  Code:0  ID:512   Seq:43909  ECHO

with the rule I posted previously.  So x.x.10.54 is infected in
this case.  My command line options are '-qDA none -i em1 -c
/usr/local/etc/snort.conf' which is not the fastest way to do
things.  But with the traffic going across this particular box,
I'm dropping less than 1% of all packets going through the box
(0.114% actually right this second), and it's a lot easier to
parse the information in real time with snort running in this
mode than using its binary logging format or even its syslog
style format.

Mark Nipper                                                e-contacts:
Computing and Information Services                      nipsy at ...1371...
Texas A&M University                        http://ops.tamu.edu/nipsy/
College Station, TX 77843-3142     AIM/Yahoo: texasnipsy ICQ: 66971617
(979)575-3193                                      MSN: nipsy at ...1371...

GG/IT d- s++:+ a-- C++$ UBL+++$ P--->+++ L+++$ E---
W++ N+ o K++ w(---) O++ M V(--) PS+++(+) PE(--) Y+
PGP++(+) t 5 X R tv b+++ DI+(++) D+ G e h r++ y+(**)

---begin random quote of the moment---
"Do you believe in destiny, that even the powers of time can be
ordered to a single purpose?  The luckiest man who walks this
earth is the one who finds true love."

 -- Dracula, "Bram Stoker's Dracula", 1992
----end random quote of the moment----

More information about the Snort-sigs mailing list