[Snort-users] Re: Welchia/Nachi rule

Gabriel L. Somlo somlo at ...8241...
Thu Nov 6 14:34:18 EST 2003


> From: "Schmehl, Paul L" <pauls at ...6838...>
> 
> Yesterday I posted a new version of my rule for this worm.  The rule
> works with snort 2.0.2 or better and takes advantage of the new
> thresholding keyword to eliminate "false positives".

Paul,

Thanks for posting the Welchia rule !

Here's a shell script I wrote to pull the culprits' IPs from the
database. I cron'ed it to send me email every 24 hours, and then I
turn around and harass the machines' owners :)

Thought it might come in handy for other folks...


#!/bin/bash
#
# list nachi events by source ip
# Gabriel L. Somlo, 11/06/2003
#

SIG="ALERT!!! NACHI Infection!!"

# delete alerts after reporting
DELETE="yes"

# information required to connect to the database:
DATABASE=snort
USER=foo
PASSWORD=bar

# the mysql command line
MYSQL="/usr/bin/mysql ${DATABASE} -u${USER} -p${PASSWORD}"

# query for signature ID
SIGQUERY="select sig_id from signature where sig_name = '${SIG}';\n"

# get internal signature id
SIGID=$(echo -e ${SIGQUERY} | ${MYSQL} | tail +2)

# query for listing by source IP
LISTQUERY="select distinct ip_src, count(acid_event.cid) from acid_event where signature=${SIGID} group by ip_src;\n"

# process list query
printf "%-15s %20s\n" "Source" "Approx. Packets"
echo -e "${LISTQUERY}" | ${MYSQL} | tail +2 | while read IPNUM EVTC; do
  HX=$(echo "obase=16;${IPNUM}" | bc)
  IP=$(echo "ibase=16; print ${HX:0:2},\".\",${HX:2:2},\".\",${HX:4:2},\".\",${HX:6:2}" | bc)
  APPX_PCKTS=$(echo "${EVTC}*500" | bc)
  printf "%-15s %20d\n" ${IP} ${APPX_PCKTS}
done | sort -t. -k1,1n -k2,2n -k3,3n -k4,4n

# quit now if we don't want to delete them from the database
if [ ! "${DELETE}" = "yes" ]; then
  exit 0
fi

# query for deleting events
DELQUERY="select sid, cid from event where signature = ${SIGID};\n"
# process delete query
echo -e ${DELQUERY} | ${MYSQL} | tail +2 | while read SID CID; do
  DELETE="delete from acid_ag_alert where ag_sid=${SID} and ag_cid=${CID};\n"
  for T in iphdr tcphdr udphdr icmphdr opt data event acid_event; do
    DELETE="${DELETE}delete from ${T} where sid=${SID} and cid=${CID};\n"
  done
  echo -e ${DELETE} | ${MYSQL}
done


Enjoy,

Gabriel




More information about the Snort-users mailing list