[Snort-users] W32 Welchia.Nachi?
mark.vyner at ...11575...
Mon Apr 5 16:41:10 EDT 2004
This was posted last year....thanks to Paul.
On Thu, 2003-11-06 at 01:39, Schmehl, Paul L wrote:
> Yesterday I posted a new version of my rule for this worm. The rule
> works with snort 2.0.2 or better and takes advantage of the new
> thresholding keyword to eliminate "false positives".
> After rereading the README.thresholding docs, I realized that I had not
> really used the new thresholding rules in the best way. I believe that
> I now understand them better, so I'm posting this updated copy of the
> # This rule is for tracking Welchia/Nachi infections
> alert icmp $HOME_NET any -> any any (msg: "ALERT!!! NACHI Infection!!";\
> content: "|aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa\
> aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa\
> aaaa aaaa aaaa aaaa aaaa|"; dsize:64; itype: 8; icode: 0; threshold:\
> type both, track by_src, count 1000, seconds 60;
> sid: 10000008; rev: 4;)
> The update that I posted yesterday used type "limit". What that does is
> limit the number of alerts that you see to the number that you specify
> in "count". But by using that type, you also see any hosts that are
> under that limit, which means any hosts doing pings or tracerts will
> trigger alerts as well.
> By using type "both", the rule will now only trigger if a host generates
> at least 1000 alerts in 60 seconds, and it will only trigger one alert
> per minute. This means that an infected host would trigger 60 alerts
> per hour. This should also completely eliminate "false positives"
> caused by Windows hosts that are being used for doing pings or tracerts.
> (So, if you want to detect hosts doing pings and tracerts, this rule
> won't do that for you.)
> If you want to detect infections coming from outside your network,
> change "$HOME_NET" to "any".
> My apologies for cluttering the lists. I should have been more patient
> before posting my update yesterday.
> Paul Schmehl (pauls at ...6838...)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> This SF.net email is sponsored by: SF.net Giveback Program.
> Does SourceForge.net help you be more productive? Does it
> help you create better code? SHARE THE LOVE, and help us help
> YOU! Click Here: http://sourceforge.net/donate/
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users