Snort mailing list archives
RE: welchia rule
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Wed, 5 Nov 2003 12:36:16 -0600
-----Original Message----- From: Mark.Schutzmann () Omron com [mailto:Mark.Schutzmann () Omron com] Sent: Wednesday, November 05, 2003 9:55 AM To: Schmehl, Paul L Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] welchia rule This is an excellent rule- I also immediately detected a couple of rogue computers. Thanks for sharing. Is there a way to (or how did you) determine how many packets/hits per second/minute that an event is triggering the snort rule?
I had plenty of infections for sampling. :-) Typically, an infected machine would generate between 150,000 and 250,000 alert per hour (a minimum of 2500 per minute!) with the original rule. I just posted an update that uses the "both" type of threshold that is working very well here. It generates 1 alert per minute for each infected host. Much easier on the database growth. :-) If you're not using snort 2.0.2 or better, just remove the threshold section and the rule will work fine, but you will see some "false positives". This is because Welchia/Nachi uses the built-in Windows ping utility, so any time someone is pinging or doing tracerts, their machine will set off the original rule. Some things like Yahoo IM will set it off because they use Windows pings to check for connectivity. The updated rule, using "threshold type both" eliminates those, so the only alerts that you get are from "real" infections. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: welchia rule, (continued)
- RE: welchia rule Leonard Miller (Nov 04)
- RE: welchia rule John Impallomeni (Nov 04)
- RE: welchia rule Schmehl, Paul L (Nov 04)
- A tool like swatch Sir Fenix (Nov 06)
- Re: [Snort-sigs] A tool like swatch Matt Kettler (Nov 05)
- Re: Re: [Snort-sigs] A tool like swatch Edin Dizdarevic (Nov 05)
- Re: [Snort-sigs] A tool like swatch Sir Fenix (Nov 06)
- Re: A tool like swatch Jim Brown (Nov 08)
- A tool like swatch Sir Fenix (Nov 06)
- RE: welchia rule Schmehl, Paul L (Nov 04)
- RE: welchia rule Mark . Schutzmann (Nov 05)
- RE: welchia rule Schmehl, Paul L (Nov 05)