[Snort-users] welchia rule, nachie and CyberKit 2.2
JasonT at ...10396...
Tue Nov 4 14:56:27 EST 2003
I guess I am a bit confused here. I have this Nachi rule in place:
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg: "ALERT!!! NACHI Infection!!"; content: "|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|"; dsize:64; itype: 8; icode: 0; classtype:trojan-activity; sid: 10000008; rev: 1;)
It works great and does pick up Nachi when it sees it.
However, I also see these alerts in Snort and Acid
[**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**]
[Classification: Misc activity] [Priority: 3]
11/04-14:40:35.833076 220.127.116.11 -> 10.1.140.12
ICMP TTL:117 TOS:0x0 ID:27649 IpLen:20 DgmLen:92
Type:8 Code:0 ID:512 Seq:21994 ECHO
[Xref => http://www.whitehats.com/info/IDS154]
Are these false alerts or is this something that is requires immediate attention to? I look a bit on the archived mailing lists and some people have mentioned that is alert is relative to the after effects of Nachi, Blaster and Welchia.
Thanks and I hope that I am not the only confused here.
More information about the Snort-users