[Snort-users] W32 Welchia.Nachi?
This is a discussion on [Snort-users] W32 Welchia.Nachi? within the Snort forums, part of the System Security and Security Related category; --=-xdx/AfNzE1AShQDJJEd+ Content-Type: text/plain Content-Transfer-Encoding: 7bit hi Larry; This was posted last year....thanks to Paul. ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
04-06-2004
|
|||
|
|||
[Snort-users] W32 Welchia.Nachi?
--=-xdx/AfNzE1AShQDJJEd+ Content-Type: text/plain Content-Transfer-Encoding: 7bit hi Larry; This was posted last year....thanks to Paul. On Thu, 2003-11-06 at 01:39, Schmehl, Paul L wrote: > Yesterday I posted a new version of my rule for this worm. The rule > works with snort 2.0.2 or better and takes advantage of the new > thresholding keyword to eliminate "false positives". > > After rereading the README.thresholding docs, I realized that I had not > really used the new thresholding rules in the best way. I believe that > I now understand them better, so I'm posting this updated copy of the > rule: > > # This rule is for tracking Welchia/Nachi infections > alert icmp $HOME_NET any -> any any (msg: "ALERT!!! NACHI Infection!!";\ > content: "|aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa\ > aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa\ > aaaa aaaa aaaa aaaa aaaa|"; dsize:64; itype: 8; icode: 0; threshold:\ > type both, track by_src, count 1000, seconds 60; > classtype:trojan-activity;\ > sid: 10000008; rev: 4;) > > The update that I posted yesterday used type "limit". What that does is > limit the number of alerts that you see to the number that you specify > in "count". But by using that type, you also see any hosts that are > under that limit, which means any hosts doing pings or tracerts will > trigger alerts as well. > > By using type "both", the rule will now only trigger if a host generates > at least 1000 alerts in 60 seconds, and it will only trigger one alert > per minute. This means that an infected host would trigger 60 alerts > per hour. This should also completely eliminate "false positives" > caused by Windows hosts that are being used for doing pings or tracerts. > (So, if you want to detect hosts doing pings and tracerts, this rule > won't do that for you.) > > If you want to detect infections coming from outside your network, > change "$HOME_NET" to "any". > > My apologies for cluttering the lists. I should have been more patient > before posting my update yesterday. > > Paul Schmehl (pauls@utdallas.edu) > Adjunct Information Security Officer > The University of Texas at Dallas > AVIEN Founding Member > http://www.utdallas.edu/~pauls/ > > > ------------------------------------------------------- > This SF.net email is sponsored by: SF.net Giveback Program. > Does SourceForge.net help you be more productive? Does it > help you create better code? SHARE THE LOVE, and help us help > YOU! Click Here: http://sourceforge.net/donate/ > _______________________________________________ > Snort-sigs mailing list > Snort-sigs@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/snort-sigs > --=-xdx/AfNzE1AShQDJJEd+ Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 7bit <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8"> <META NAME="GENERATOR" CONTENT="GtkHTML/3.0.8"> </HEAD> <BODY> <TT>hi Larry;<BR> <BR> This was posted last year....thanks to Paul.<BR> <BR> </TT><BR> On Thu, 2003-11-06 at 01:39, Schmehl, Paul L wrote: <BLOCKQUOTE TYPE=CITE> <PRE><FONT COLOR="#737373"><I>Yesterday I posted a new version of my rule for this worm. The rule works with snort 2.0.2 or better and takes advantage of the new thresholding keyword to eliminate "false positives". After rereading the README.thresholding docs, I realized that I had not really used the new thresholding rules in the best way. I believe that I now understand them better, so I'm posting this updated copy of the rule: # This rule is for tracking Welchia/Nachi infections alert icmp $HOME_NET any -> any any (msg: "ALERT!!! NACHI Infection!!";\ content: "|aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa\ aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa\ aaaa aaaa aaaa aaaa aaaa|"; dsize:64; itype: 8; icode: 0; threshold:\ type both, track by_src, count 1000, seconds 60; classtype:trojan-activity;\ sid: 10000008; rev: 4;) The update that I posted yesterday used type "limit". What that does is limit the number of alerts that you see to the number that you specify in "count". But by using that type, you also see any hosts that are under that limit, which means any hosts doing pings or tracerts will trigger alerts as well. By using type "both", the rule will now only trigger if a host generates at least 1000 alerts in 60 seconds, and it will only trigger one alert per minute. This means that an infected host would trigger 60 alerts per hour. This should also completely eliminate "false positives" caused by Windows hosts that are being used for doing pings or tracerts. (So, if you want to detect hosts doing pings and tracerts, this rule won't do that for you.) If you want to detect infections coming from outside your network, change "$HOME_NET" to "any". My apologies for cluttering the lists. I should have been more patient before posting my update yesterday. Paul Schmehl (pauls@utdallas.edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member</FONT> <A HREF="http://www.utdallas.edu/~pauls/"><U>http://www.utdallas.edu/~pauls/</U></A> <FONT COLOR="#737373"> ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: </FONT><A HREF="http://sourceforge.net/donate/"><U>http://sourceforge.net/donate/</U></A> <FONT COLOR="#737373">__________________________________ _____________ Snort-sigs mailing list Snort-sigs@lists.sourceforge.net</FONT> <A HREF="https://lists.sourceforge.net/lists/listinfo/snort-sigs"><U>https://lists.sourceforge.net/lists/listinfo/snort-sigs</U></I></A> </PRE> </BLOCKQUOTE> </BODY> </HTML> --=-xdx/AfNzE1AShQDJJEd+-- ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
