[Snort-sigs] [Emerging-Sigs] New rule offered for detecting Ping NVidia

Jeremy Hoel jthoel at ...2420...
Mon Feb 10 11:50:11 EST 2014


We had this and I sent some info to the SANS team. It's one of the
nvidia driver updaters.. It grabs a dat file and when it's done, does
the ping.  but it doesn't do a DNS to any domain first.. it just seems
to have IPs internally.

We turned off the autoupdate service and they went away.  It seemed
related to the geforce experience stuff, but the machines are in the
fields and hard to get information about.

On Mon, Feb 10, 2014 at 4:43 PM, Will Metcalf
<wmetcalf at ...3525...> wrote:
> Hmm is this interesting? Maybe disabled by default? Seems that it is just a
> normal thing the NVIDIA updae app does right?
>
> Regards,
>
> Will
>
>
> On Wed, Feb 5, 2014 at 1:57 PM, rmkml <rmkml at ...174...> wrote:
>>
>> Hi,
>>
>> After ISC/SANS talk, I'm offer a new rule for detecting Ping NVidia:
>>
>> alert icmp any any -> any any (msg:"ICMP PING NVIDIA NvNetworkService
>> check access"; icode:0; itype:8; dsize:32; content:"PING DATA!"; depth:10;
>> offset:0;
>> reference:url,isc.sans.edu/forums/diary/Odd+ICMP+Echo+Request+Payload/17570;
>> classtype:misc-activity; sid:1; rev:1;)
>>
>> Please check all variables before use.
>>
>> All comments are welcome.
>>
>> Regards
>> @Rmkml
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at ...3694...
>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreats.net
>> The ONLY place to get complete premium rulesets for all versions of
>> Suricata and Snort 2.4.0 through Current!
>
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at ...3694...
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
> The ONLY place to get complete premium rulesets for all versions of Suricata
> and Snort 2.4.0 through Current!




More information about the Snort-sigs mailing list