[Snort-users] CyberKit 2.2 Ping, its driven me Nuts..

CGhercoias at ...8619... CGhercoias at ...8619...
Mon Dec 29 13:32:02 EST 2003


Hi,

This seems very interesting.
Would you please post details about how have you done it?
Eventually the cron script to check these specific alerts (WELCHIA/NACHI and MSBLASTER) and how you send emails to the antivirus team.

Thank you in advance,
Catalin.


-----Original Message-----
From:	Alexander Hampel [mailto:alexanderhampel at ...2792...]
Sent:	Mon 12/29/2003 2:55 PM
To:	snort-users at lists.sourceforge.net
Cc:	
Subject:	Re: [Snort-users] CyberKit 2.2 Ping, its driven me Nuts..
I use a custom cron script, that checks every minute for CyberKit 2.2 alerts originating from within our Class B network. It gets the MAC address of the offending PC through 'nbtscan', and sends popup warning messages to the offender via 'smbclient -M'. It further logs the offending PC's NetBIOS name, IP, MAC, and sends out a text page via 'mailto', so the antivirus team can take care of the infected PC.

External Cyberkit 2.2 alerts are being ignored. Incoming ports 135 and tftp are of course blocked at the firewall to prevent infection from the outside.

Alexander



Erwin Van de Velde <erwin.vandevelde at ...10361...> wrote:

>Hi,
>
>Commenting it out will make you bind for internal infections!!!
>I don't think it is good to comment it out, just adapt it if you really want 
>to get rid of the alerts. Otherwise: filtering afterwards on alerts itself. 
>This way you will keep statistical information on virus activity, which can 
>be nice to show your boss :-)
>It's also a good thing to keep an eye on general internet activity and 
>commenting all those nasty alerts out isn't the way to do that.
>
>Greetings,
>Erwin Van de Velde
>Student of Antwerp University
>Belgium
>
>
>
>On Monday 29 December 2003 17:51, Bryan Irvine wrote:
>> I commented that rule out.
>>
>> On Mon, 2003-12-29 at 10:51, Chris N wrote:
>> > Fellow Snorters,
>> >
>> > Ok, I have had enough of this "CyberKit 2.2 Ping." How are some of you
>> > guys dealing with it? Do you just ignore(pass), log every one, or go and
>> > try to shut the offending hosts down? Although, trying to shutdown all
>> > the offending host could be a daunting task, since there are so dam many.
>> >
>> > Chris
>> >
>> >
>> >
>> > -------------------------------------------------------
>> > This SF.net email is sponsored by: IBM Linux Tutorials.
>> > Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
>> > Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
>> > Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
>> > _______________________________________________
>> > Snort-users mailing list
>> > Snort-users at lists.sourceforge.net
>> > Go to this URL to change user options or unsubscribe:
>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>> > Snort-users list archive:
>> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> -------------------------------------------------------
>> This SF.net email is sponsored by: IBM Linux Tutorials.
>> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
>> Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
>> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>-------------------------------------------------------
>This SF.net email is sponsored by: IBM Linux Tutorials.
>Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
>Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
>Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>

__________________________________________________________________
New! Unlimited Access from the Netscape Internet Service.
Beta test the new Netscape Internet Service for only $1.00 per month until 3/1/04.
Sign up today at http://isp.netscape.com/register
Act now to get a personalized email address!

Netscape. Just the Net You Need.


-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users







More information about the Snort-users mailing list