[Snort-users] welchia rule

Schmehl, Paul L pauls at ...6838...
Tue Nov 4 14:12:09 EST 2003

> -----Original Message-----
> From: Leonard Miller [mailto:Leonard.Miller at ...7710...] 
> Sent: Tuesday, November 04, 2003 2:39 PM
> To: snort-users at lists.sourceforge.net; dortega at ...10460...; 
> Leonard Miller; Schmehl, Paul L
> Subject: RE: [Snort-users] welchia rule
> Would it matter if the payload was aaaaaaaaaaaaaaaaaaaa
> and not aaaa aaaa aaaa aaaa 
> The reason I ask is that I saw on arachNIDS that the rule was 
> a little different and picked up as CyberKit 2.2 Windows

No sooner did I send the updated rule and I began to see some alerts for
non-infected boxes, so I upped the "count" value to 1000.  An infected
box will generate 2500 alerts a minute or more, so it could be moved
higher.  I'm just trying to be conservative.

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member

More information about the Snort-users mailing list