[Snort-sigs] IDS Rules to detect The Blacknurse Attack - ICMP DOS

Joshua Williams joshuwi2 at ...435...
Mon Nov 14 15:13:16 EST 2016


Lenny,

Thanks for your submission. I'll review and test these rules and get back
to you when they are finished.

--
Josh Williams
Detection Response Team
TALOS Security Group

On Sat, Nov 12, 2016 at 1:07 AM, Lenny Hansson <lenny at ...4057...> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hi all users
>
> 2 public released IDS rules to detect The Blacknurse Attack - Feel free to use.
> REF: blacknurse.dk
>
> alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"TDC-SOC – Possible BlackNurse attack from external source"; itype:3; icode:3; detection_filter:track by_dst, count 250, seconds 1; reference:url,soc.tdc.dk/blacknurse/blacknurse.pdf; metadata:TDC-SOC-CERT,18032016; priority:3; sid:88000012; rev:1;)
>
> alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"TDC-SOC – Possible BlackNurse attack from internal source"; itype:3; icode:3; detection_filter:track by_dst, count 250, seconds 1; reference:url,soc.tdc.dk/blacknurse/blacknurse.pdf; metadata:TDC-SOC-CERT,18032016; priority:3; sid:88000013; rev:1;)
>
> Venlig hilsen / Best Regards
> Lenny Hansson
>
> E-mail: security at ...4057...
> Key-ID: D282 E960 7B91 5A04 68DA AB33 4070 9EB8 9137 9877
>
> -----BEGIN PGP SIGNATURE-----
> Version: Mailvelope v1.5.2
> Comment: https://www.mailvelope.com
>
> wsFcBAEBCAAQBQJYJrGCCRBAcJ64kTeYdwAAGzkQAKOrssYx5bfABHBDflnj
> HP0ZImzOYcjNygsE6UA7BhboBlA7CD2jzF/WrE5FZ6AHEAa55dX/fdrtmpK5
> SY/V4UDqTffLbmLtKfKTHKb4uUTKjR9j9VUIMqbRDCgU2fOCOl0//Mt64loT
> bXaemLkhJf4cDhXW6dVUPySbOgtAJAP4RpntnFpkNmm4gobGnEOVYZdMH02R
> 9q1Du6N7VNIJQ1Ld8zvj0c/PxqTpwHK/63x26uvYVwxKJdSYWcUShMIZbqJY
> xpgSLOzm6gtKNP1ZwGgPRLymmFVU+5suUbFR2wmXyXzfvkpcjhNB3j5ydSTo
> K2bo7oOilYwD3cBR4pdQaHEkasXH5ZVC/GNV/6hY6LwOBH3kmS9uYFh6r79O
> VGx9x+Ejxu/nuMKwDVxZ2+kHdMxycRSzv6vLoNGALjVxWeMECh/vkBWVw8Wu
> Y1KvKDjn/k7I6KVJFhdDnlrXq5xKY5MsXBsFNmN2eJL8DLwt+gs7ywd2ddMw
> mnjUmyvul91afq/SeW1TtHbxiwUVFPUKUDZZ8I3E+hbeIC0kRji+5eLzN6ub
> tubkDriTGELypKh5IWXgUpAn4isNbdZnzbzYNUsLsVUlyBpBgZbfZY/bYhTD
> 4ZOKSZw6w74ogk+L7G8vhGLpBR311XiAPzj5I75kVTo7beN+LzQw7zWWI3Gp
> e+8B
> =ayKB
> -----END PGP SIGNATURE-----
>
>
> ------------------------------------------------------------
> ------------------
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> http://www.snort.org
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20161114/0e4c2e52/attachment.html>


More information about the Snort-sigs mailing list