[Snort-users] welchia rule

Schmehl, Paul L pauls at ...6838...
Wed Nov 5 14:12:38 EST 2003


> -----Original Message-----
> From: Mark.Schutzmann at ...10438... [mailto:Mark.Schutzmann at ...10438...] 
> Sent: Wednesday, November 05, 2003 9:55 AM
> To: Schmehl, Paul L
> Cc: snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] welchia rule
> 
> This is an excellent rule- I also immediately detected a 
> couple of rogue computers. Thanks for sharing. Is there a way 
> to (or how did you) determine how many packets/hits per 
> second/minute that an event is triggering the snort rule?
> 
I had plenty of infections for sampling.  :-)

Typically, an infected machine would generate between 150,000 and
250,000 alert per hour (a minimum of 2500 per minute!) with the original
rule.  I just posted an update that uses the "both" type of threshold
that is working very well here.  It generates 1 alert per minute for
each infected host.  Much easier on the database growth. :-)

If you're not using snort 2.0.2 or better, just remove the threshold
section and the rule will work fine, but you will see some "false
positives".  This is because Welchia/Nachi uses the built-in Windows
ping utility, so any time someone is pinging or doing tracerts, their
machine will set off the original rule.  Some things like Yahoo IM will
set it off because they use Windows pings to check for connectivity.
The updated rule, using "threshold type both" eliminates those, so the
only alerts that you get are from "real" infections.

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 




More information about the Snort-users mailing list