[Snort-sigs] sig for recent massive ICMP scans

Bill Terwilliger bill_terwilliger at ...1911...
Fri Sep 26 06:09:17 EDT 2003


I think that the Nachi/Welchia packet is 106 bytes if you include the  
layer2 header and 96 bytes if you don't include it.

On Thursday, September 25, 2003, at 11:08 PM, Paul Schmehl wrote:

> --On Thursday, September 25, 2003 4:43 PM -0400 SoloNet Newsfeed  
> <newsfeed at ...1411...> wrote:
>>
>> alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING
>> Scan Netblock
>> (VIRUS?)";content:"|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 
>> aaa
>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 
>> aaa
>> aa|";itype:8;icode:0;depth:106;classtype:misc-activity;rev:1;)
>>
> Are you sure that the packets are 106 bytes and not 96 bytes?  The  
> reason that I ask is because Nachi/Welchia packets were 96 bytes.  If  
> these really are 106 bytes, then they're something new.  The payload  
> is the same size as Nachi, and everything else looks like Nachi, but  
> the packet size is off by 10 bytes.
>
> Paul Schmehl (pauls at ...1311...)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs






More information about the Snort-sigs mailing list