[Snort-sigs] sig for recent massive ICMP scans

Paul Schmehl pauls at ...1311...
Thu Sep 25 20:10:34 EDT 2003


--On Thursday, September 25, 2003 4:43 PM -0400 SoloNet Newsfeed 
<newsfeed at ...1411...> wrote:
>
> alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING
> Scan Netblock
> (VIRUS?)";content:"|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
> aa|";itype:8;icode:0;depth:106;classtype:misc-activity;rev:1;)
>
Are you sure that the packets are 106 bytes and not 96 bytes?  The reason 
that I ask is because Nachi/Welchia packets were 96 bytes.  If these really 
are 106 bytes, then they're something new.  The payload is the same size as 
Nachi, and everything else looks like Nachi, but the packet size is off by 
10 bytes.

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu




More information about the Snort-sigs mailing list