[Snort-users] Welchia/Nachi rule

Schmehl, Paul L pauls at ...6838...
Wed Nov 5 11:05:30 EST 2003


Yesterday I posted a new version of my rule for this worm.  The rule
works with snort 2.0.2 or better and takes advantage of the new
thresholding keyword to eliminate "false positives".

After rereading the README.thresholding docs, I realized that I had not
really used the new thresholding rules in the best way.  I believe that
I now understand them better, so I'm posting this updated copy of the
rule:

# This rule is for tracking Welchia/Nachi infections
alert icmp $HOME_NET any -> any any (msg: "ALERT!!! NACHI Infection!!";\
 content: "|aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa\
 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa\
 aaaa aaaa aaaa aaaa aaaa|"; dsize:64; itype: 8; icode: 0; threshold:\
 type both, track by_src, count 1000, seconds 60;
classtype:trojan-activity;\
 sid: 10000008; rev: 4;)

The update that I posted yesterday used type "limit".  What that does is
limit the number of alerts that you see to the number that you specify
in "count".  But by using that type, you also see any hosts that are
under that limit, which means any hosts doing pings or tracerts will
trigger alerts as well.

By using type "both", the rule will now only trigger if a host generates
at least 1000 alerts in 60 seconds, and it will only trigger one alert
per minute.  This means that an infected host would trigger 60 alerts
per hour.  This should also completely eliminate "false positives"
caused by Windows hosts that are being used for doing pings or tracerts.
(So, if you want to detect hosts doing pings and tracerts, this rule
won't do that for you.)

If you want to detect infections coming from outside your network,
change "$HOME_NET" to "any".

My apologies for cluttering the lists.  I should have been more patient
before posting my update yesterday.

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 




More information about the Snort-users mailing list