[Snort-users] welchia rule

Mark.Schutzmann at ...10438... Mark.Schutzmann at ...10438...
Wed Nov 5 13:48:55 EST 2003


This is an excellent rule- I also immediately detected a couple of rogue
computers. Thanks for sharing. Is there a way to (or how did you) determine
how many packets/hits per second/minute that an event is triggering the
snort rule?


                      "Schmehl, Paul L"                                                                                                           
                      <pauls at ...6838...>                To:       "Leonard Miller" <Leonard.Miller at ...7710...>,                                   
                      Sent by:                             <snort-users at lists.sourceforge.net>, <dortega at ...10460...>                                 
                      snort-users-admin at ...4626...        cc:                                                                                     
                      ceforge.net                         Subject:  RE: [Snort-users] welchia rule                                                
                      11/04/2003 04:11 PM                                                                                                         

> -----Original Message-----
> From: Leonard Miller [mailto:Leonard.Miller at ...7710...]
> Sent: Tuesday, November 04, 2003 2:39 PM
> To: snort-users at lists.sourceforge.net; dortega at ...10460...;
> Leonard Miller; Schmehl, Paul L
> Subject: RE: [Snort-users] welchia rule
> Would it matter if the payload was aaaaaaaaaaaaaaaaaaaa
> and not aaaa aaaa aaaa aaaa
> The reason I ask is that I saw on arachNIDS that the rule was
> a little different and picked up as CyberKit 2.2 Windows

No sooner did I send the updated rule and I began to see some alerts for
non-infected boxes, so I upped the "count" value to 1000.  An infected
box will generate 2500 alerts a minute or more, so it could be moved
higher.  I'm just trying to be conservative.

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member

This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list