[Snort-sigs] sig for recent massive ICMP scans

Brian Howard drivah at ...1821...
Thu Sep 25 21:02:02 EDT 2003


The icmp payload consisting of 64 "a"'s is characteristic the welchia & variants.
Personally I use this rule to detect the bloddy thing and haven't had a false positive yet.


SoloNet Newsfeed wrote:

> I don't know if everybody else has been receiving the amount of ICMP
> traffic scans we have been (noticed on mutiple sensors and different
> ISPs) But they were triggering on false  CyberKit rules. Here's a sig
> I'm working on that seems to match this particular issue. The
> recommendation from the CyberKit rule on snort.org for blocking certain
> ICMP traffic works liek a charm, but if you're determined to weed these
> folks out, here's the sig, comments are welcome.
>
> I've seen that the packet size is always 106 bytes, this payload are is
> always 64. They scan the next netblock after hitting the .10 and .50 IPs
> of the previous class C which is the actual target of the scan. Header
> size is also 20 bytes.
>
> alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING
> Scan Netblock (VIRUS?)";content:"|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|";itype:8;icode:0;depth:106;classtype:misc-activity;rev:1;)
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs





More information about the Snort-sigs mailing list