[Snort-sigs] sig for recent massive ICMP scans

SoloNet Newsfeed newsfeed at ...1411...
Fri Sep 26 06:27:12 EDT 2003


It's what I got from Ethereal, and it's matching everything it's 
supposed to for the traffic we're seeing. I mentioned this to somebody 
off list, but basically, it's cut down on the false positives for 
CyberKit, and it's more specific that the Nachi sig released a few weeks 
ago, so I'm guessing, if you guys monitor your traffic, it may be 
something new. We started seeing this traffic after Nachi started and 
even have that sig in our distributed sensors, but the Nachi sig wasn't 
picking this up. THe behaviour is similar to Nachi, but as I mentioned 
in my first post, it has an odd pattern and characteristics to how the 
traffic spreads.

Paul Schmehl wrote:

> --On Thursday, September 25, 2003 4:43 PM -0400 SoloNet Newsfeed 
> <newsfeed at ...1411...> wrote:
>
>>
>> alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING
>> Scan Netblock
>> (VIRUS?)";content:"|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 
>>
>> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 
>>
>> aa|";itype:8;icode:0;depth:106;classtype:misc-activity;rev:1;)
>>
> Are you sure that the packets are 106 bytes and not 96 bytes?  The 
> reason that I ask is because Nachi/Welchia packets were 96 bytes.  If 
> these really are 106 bytes, then they're something new.  The payload 
> is the same size as Nachi, and everything else looks like Nachi, but 
> the packet size is off by 10 bytes.
>
> Paul Schmehl (pauls at ...1311...)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu
>
>





More information about the Snort-sigs mailing list