[Snort-users] welchia rule

John Impallomeni John.Impallomeni at ...10404...
Tue Nov 4 13:34:16 EST 2003


I have used the Cyberkit 2.2 rule seems to pick up Welchia. I do get
some false positives but if I get more than 20 alerts within a short
time than I know that it is Welchia.

John Impallomeni
Systems Administrator
Sun Healthcare Group
(505) 468-6651
(505) 975-0061 Cel.
john.impallomeni at ...10404...

Information contained in this e-mail and any attachments thereto is
intended solely for use of the recipient(s) named above and may be
privileged, confidential, and/or proprietary. If you are not the
intended recipient, please do not read, distribute, or reproduce this
transmission. You are advised that unauthorized use of this e-mail by
any unintended recipient may be unlawful and could subject the user to
civil damages and other penalties. If you have received this e-mail
transmission in error, please notify the sender immediately by reply
e-mail and then delete this e-mail. Thank you.


-----Original Message-----
From: Leonard Miller [mailto:Leonard.Miller at ...7710...] 
Sent: Tuesday, November 04, 2003 1:39 PM
To: snort-users at lists.sourceforge.net; dortega at ...10460...; Leonard Miller;
pauls at ...6838...
Subject: RE: [Snort-users] welchia rule

Would it matter if the payload was aaaaaaaaaaaaaaaaaaaa
and not aaaa aaaa aaaa aaaa 
The reason I ask is that I saw on arachNIDS that the rule was a little
different and picked up as CyberKit 2.2 Windows

Thanks
Leonard
Automatically inserted lawyer supplied blurb follows


>>> "Leonard Miller" <Leonard.Miller at ...7710...> 11/04/03 12:10PM >>>
Hi,
I just started using snort.  In order to use this rule, do I just add
that
to the virus.rules file and enable the rule in snort.conf?
If I should start with something a little more simple, let me know.

Thanks
Leonard
Automatically inserted lawyer supplied blurb follows.


>>> "Schmehl, Paul L" <pauls at ...6838...> 11/04/03 10:44AM >>>
> -----Original Message-----
> From: David Omar Ortega Aranda [mailto:dortega at ...10460...] 
> Sent: Monday, November 03, 2003 5:51 PM
> To: snort-users at lists.sourceforge.net 
> Subject: [Snort-users] welchia rule
> 
> Do any of you have a good working Welchia virus signature?

# This rule is for tracking Nachi infections
alert icmp $HOME_NET any -> any any (msg: "ALERT!!! NACHI
Infection!!";
content: "|aaaa aaaa aaaa\
 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
aaaa aaaa aaaa aaaa aaaa\
 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa|"; dsize:64; itype: 8;
icode: 0; \
 classtype:trojan-activity; sid: 10000008; rev: 1;)

Paul Schmehl (pauls at ...6838...)



**********CONFIDENTIALITY NOTICE**********
The information contained in this e-mail may be proprietary and/or 
privileged and is intended for the sole use of the individual or 
organization named above.  If you are not the intended recipient or an 
authorized representative of the intended recipient, any review, copying
or distribution of this e-mail and its attachments, if any, is
prohibited.
If you have received this e-mail in error, please notify the sender
immediately by return e-mail and delete this message from your system.



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list