[Snort-users] SUMMARY, CyberKit 2.2 Ping, its driven me Nuts..

Paul Schmehl pauls at ...6838...
Wed Dec 31 22:08:01 EST 2003


----- Original Message ----- 
From: "Jeff Kell" <jeff-kell at ...6282...>
To: "Brice B" <nesta at ...10862...>
Cc: <chris.northrop at ...406...>; <snort-users at lists.sourceforge.net>
Sent: Wednesday, December 31, 2003 8:38 PM
Subject: Re: [Snort-users] SUMMARY, CyberKit 2.2 Ping, its driven me Nuts..
>
> Can anyone verify the [non]existance of a difference between the
> Cyberkit and Nachi pings?  Not having Cyberkit myself, I can only
> address Nachi.  The frame is 106 bytes on the wire, 92 bytes in the IP
> packet, and 64 bytes of 0xaa in the ICMP data payload.
>
> If Cyberkit is anything but 64 bytes of 0xaa payload, perhaps a new,
> Nachi-specific rule is called for.
>
Here's the rule I wrote, which I've posted to the list several times.  It
uses thresholding and triggers one alert per minute.  If you get *any*
alerts with this rule, I *guarantee* you it's a machine infected with Nachi
or a new variant of Nachi.

# This rule is for tracking Nachi infections
alert icmp $HOME_NET any -> any any (msg: "ALERT!!! NACHI Infection!!";
content: "|aaaa aaaa aaaa aaaa aaaa aaaa aaaa aa
aa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa|";
 dsize:64; itype: 8; icode: 0; threshold: type both, track by_src, count
1000, seconds 60; classtype:trojan-activity; si
d: 10000008; rev: 4;)

The usual rules apply.  This must be either all on one line or properly
"escaped", so you'll have to fix it if you copy and paste.  Note that this
rule *only* triggers for internal infections, *not* for infected machines on
$EXTERNAL_NET, so you need to edit it appropriately for what you are looking
for on your network.  I.e. change $HOME_NET to any if you want to catch
*all* infections or $EXTERNAL_NET if you want to catch *incoming*
infections.

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
University of Texas at Dallas
http://www.utdallas.edu/ir/





More information about the Snort-users mailing list