[Snort-sigs] Re: sig for recent massive ICMP scans

Nick.Cross at ...1874... Nick.Cross at ...1874...
Tue Sep 30 03:09:05 EDT 2003

Just to let you all know that this sig has caught the Nachi.A (or a variant
that Trend AV reports it as that) running across our WAN this morning.  You
need the MS03-039 patch to not be infected, which luckily we SMS'ed out

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Scan Netblock
(VIRUS?)"; content:"

As always this list service saves my butt. =)

many many thanks.


ps. Does anyone have a sig for the actual virus variant yet? we turned off
icmp 8:0 on the WAN before I could get a packet trace.

More information about the Snort-sigs mailing list