RE: [Snort-users] CyberKit 2.2 Ping, its driven me Nuts..

permalink · #1 (**permalink**) 12-29-2003

Hi,

This seems very interesting.
Would you please post details about how have you done it?
Eventually the cron script to check these specific alerts (WELCHIA/NACHI =
and MSBLASTER) and how you send emails to the antivirus team.

Thank you in advance,
Catalin.

-----Original Message-----
From: Alexander Hampel [mailto:alexanderhampel@netscape.net]
Sent: Mon 12/29/2003 2:55 PM
To: snort-users@lists.sourceforge.net
Cc:=09
Subject: Re: [Snort-users] CyberKit 2.2 Ping, its driven me Nuts..
I use a custom cron script, that checks every minute for CyberKit 2.2 =
alerts originating from within our Class B network. It gets the MAC =
address of the offending PC through 'nbtscan', and sends popup warning =
messages to the offender via 'smbclient -M'. It further logs the =
offending PC's NetBIOS name, IP, MAC, and sends out a text page via =
'mailto', so the antivirus team can take care of the infected PC.

External Cyberkit 2.2 alerts are being ignored. Incoming ports 135 and =
tftp are of course blocked at the firewall to prevent infection from the =
outside.

Alexander

Erwin Van de Velde <erwin.vandevelde@ua.ac.be> wrote:

>Hi,
>
>Commenting it out will make you bind for internal infections!!!
>I don't think it is good to comment it out, just adapt it if you really =
want=20
>to get rid of the alerts. Otherwise: filtering afterwards on alerts =
itself.=20
>This way you will keep statistical information on virus activity, which =
can=20
>be nice to show your boss :-)
>It's also a good thing to keep an eye on general internet activity and=20
>commenting all those nasty alerts out isn't the way to do that.
>
>Greetings,
>Erwin Van de Velde
>Student of Antwerp University
>Belgium
>
>
>
>On Monday 29 December 2003 17:51, Bryan Irvine wrote:
>> I commented that rule out.
>>
>> On Mon, 2003-12-29 at 10:51, Chris N wrote:
>> > Fellow Snorters,
>> >
>> > Ok, I have had enough of this "CyberKit 2.2 Ping." How are some of =
you
>> > guys dealing with it? Do you just ignore(pass), log every one, or =
go and
>> > try to shut the offending hosts down? Although, trying to shutdown =
all
>> > the offending host could be a daunting task, since there are so dam =
many.
>> >
>> > Chris
>> >
>> >
>> >
>> > -------------------------------------------------------
>> > This SF.net email is sponsored by: IBM Linux Tutorials.
>> > Become an expert in LINUX or just sharpen your skills. Sign up for =
IBM's
>> > Free Linux Tutorials. Learn everything from the bash shell to sys =
admin.
>> > Click now! =
http://ads.osdn.com/?ad_id=3D1278&al...371&op=3Dclick
>> > _______________________________________________
>> > Snort-users mailing list
>> > Snort-users@lists.sourceforge.net
>> > Go to this URL to change user options or unsubscribe:
>> > https://lists.sourceforge.net/lists/...fo/snort-users
>> > Snort-users list archive:
>> > http://www.geocrawler.com/redir-sf.p...=3Dsnort-users
>>
>> -------------------------------------------------------
>> This SF.net email is sponsored by: IBM Linux Tutorials.
>> Become an expert in LINUX or just sharpen your skills. Sign up for =
IBM's
>> Free Linux Tutorials. Learn everything from the bash shell to sys =
admin.
>> Click now! =
http://ads.osdn.com/?ad_id=3D1278&al...371&op=3Dclick
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users@lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/...fo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.p...=3Dsnort-users
>
>
>
>-------------------------------------------------------
>This SF.net email is sponsored by: IBM Linux Tutorials.
>Become an expert in LINUX or just sharpen your skills. Sign up for =
IBM's
>Free Linux Tutorials. Learn everything from the bash shell to sys =
admin.
>Click now! http://ads.osdn.com/?ad_id=3D1278&al...371&op=3Dclick
>_______________________________________________
>Snort-users mailing list
>Snort-users@lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/...fo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.p...=3Dsnort-users
>

__________________________________________________ ________________
New! Unlimited Access from the Netscape Internet Service.
Beta test the new Netscape Internet Service for only $1.00 per month =
until 3/1/04.
Sign up today at http://isp.netscape.com/register
Act now to get a personalized email address!

Netscape. Just the Net You Need.

-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for =
IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys =
admin.
Click now! http://ads.osdn.com/?ad_id=3D1278&al...371&op=3Dclick
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...=3Dsnort-users

-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode