[Snort-users] welchia rule, nachie and CyberKit 2.2

Jason Truong JasonT at ...10396...
Tue Nov 4 14:56:27 EST 2003


I guess I am a bit confused here.  I have this Nachi rule in place:

alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg: "ALERT!!! NACHI Infection!!"; content: "|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|"; dsize:64; itype: 8; icode: 0; classtype:trojan-activity; sid: 10000008; rev: 1;)

It works great and does pick up Nachi when it sees it.
However, I also see these alerts in Snort and Acid

[**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**]
[Classification: Misc activity] [Priority: 3]
11/04-14:40:35.833076 208.245.23.183 -> 10.1.140.12
ICMP TTL:117 TOS:0x0 ID:27649 IpLen:20 DgmLen:92
Type:8  Code:0  ID:512   Seq:21994  ECHO
[Xref => http://www.whitehats.com/info/IDS154]

Are these false alerts or is this something that is requires immediate attention to?  I look a bit on the archived mailing lists and some people have mentioned that is alert is relative to the after effects of Nachi, Blaster and Welchia.

Thanks and I hope that I am not the only confused here.

Jason T.




More information about the Snort-users mailing list