[Snort-sigs] Re: sig for recent massive ICMP scans

Nick.Cross at ...1874... Nick.Cross at ...1874...
Tue Sep 30 03:09:05 EDT 2003


Just to let you all know that this sig has caught the Nachi.A (or a variant
that Trend AV reports it as that) running across our WAN this morning.  You
need the MS03-039 patch to not be infected, which luckily we SMS'ed out
yesterday.

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Scan Netblock
(VIRUS?)"; content:"
|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|";itype:8;icode:0;depth:106;classtype:misc-activity;rev:1;)

As always this list service saves my butt. =)

many many thanks.

Nick.

ps. Does anyone have a sig for the actual virus variant yet? we turned off
icmp 8:0 on the WAN before I could get a packet trace.







More information about the Snort-sigs mailing list