[Snort-users] W32 Welchia.Nachi?

Mark Gilbert mark.vyner at ...11575...
Mon Apr 5 16:41:10 EDT 2004

hi Larry;

  This was posted last year....thanks to Paul.

On Thu, 2003-11-06 at 01:39, Schmehl, Paul L wrote: 

> Yesterday I posted a new version of my rule for this worm.  The rule
> works with snort 2.0.2 or better and takes advantage of the new
> thresholding keyword to eliminate "false positives".
> After rereading the README.thresholding docs, I realized that I had not
> really used the new thresholding rules in the best way.  I believe that
> I now understand them better, so I'm posting this updated copy of the
> rule:
> # This rule is for tracking Welchia/Nachi infections
> alert icmp $HOME_NET any -> any any (msg: "ALERT!!! NACHI Infection!!";\
>  content: "|aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa\
>  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa\
>  aaaa aaaa aaaa aaaa aaaa|"; dsize:64; itype: 8; icode: 0; threshold:\
>  type both, track by_src, count 1000, seconds 60;
> classtype:trojan-activity;\
>  sid: 10000008; rev: 4;)
> The update that I posted yesterday used type "limit".  What that does is
> limit the number of alerts that you see to the number that you specify
> in "count".  But by using that type, you also see any hosts that are
> under that limit, which means any hosts doing pings or tracerts will
> trigger alerts as well.
> By using type "both", the rule will now only trigger if a host generates
> at least 1000 alerts in 60 seconds, and it will only trigger one alert
> per minute.  This means that an infected host would trigger 60 alerts
> per hour.  This should also completely eliminate "false positives"
> caused by Windows hosts that are being used for doing pings or tracerts.
> (So, if you want to detect hosts doing pings and tracerts, this rule
> won't do that for you.)
> If you want to detect infections coming from outside your network,
> change "$HOME_NET" to "any".
> My apologies for cluttering the lists.  I should have been more patient
> before posting my update yesterday.
> Paul Schmehl (pauls at ...6838...)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/~pauls/
> -------------------------------------------------------
> This SF.net email is sponsored by: SF.net Giveback Program.
> Does SourceForge.net help you be more productive?  Does it
> help you create better code?   SHARE THE LOVE, and help us help
> YOU!  Click Here: http://sourceforge.net/donate/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040405/37fa58b7/attachment.html>

More information about the Snort-users mailing list