Snort mailing list archives

RE: welchia rule

From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Wed, 5 Nov 2003 12:36:16 -0600

-----Original Message-----
From: Mark.Schutzmann () Omron com [mailto:Mark.Schutzmann () Omron com] 
Sent: Wednesday, November 05, 2003 9:55 AM
To: Schmehl, Paul L
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] welchia rule

This is an excellent rule- I also immediately detected a 
couple of rogue computers. Thanks for sharing. Is there a way 
to (or how did you) determine how many packets/hits per 
second/minute that an event is triggering the snort rule?

I had plenty of infections for sampling.  :-)

Typically, an infected machine would generate between 150,000 and
250,000 alert per hour (a minimum of 2500 per minute!) with the original
rule.  I just posted an update that uses the "both" type of threshold
that is working very well here.  It generates 1 alert per minute for
each infected host.  Much easier on the database growth. :-)

If you're not using snort 2.0.2 or better, just remove the threshold
section and the rule will work fine, but you will see some "false
positives".  This is because Welchia/Nachi uses the built-in Windows
ping utility, so any time someone is pinging or doing tracerts, their
machine will set off the original rule.  Some things like Yahoo IM will
set it off because they use Windows pings to check for connectivity.
The updated rule, using "threshold type both" eliminates those, so the
only alerts that you get are from "real" infections.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: welchia rule, (continued)
- RE: welchia rule Leonard Miller (Nov 04)
- RE: welchia rule John Impallomeni (Nov 04)
- RE: welchia rule Schmehl, Paul L (Nov 04)
  - A tool like swatch Sir Fenix (Nov 06)
    - Re: [Snort-sigs] A tool like swatch Matt Kettler (Nov 05)
    - Re: Re: [Snort-sigs] A tool like swatch Edin Dizdarevic (Nov 05)
    - Re: [Snort-sigs] A tool like swatch Sir Fenix (Nov 06)
    - Re: A tool like swatch Jim Brown (Nov 08)
- RE: welchia rule Schmehl, Paul L (Nov 04)
- RE: welchia rule Mark . Schutzmann (Nov 05)
- RE: welchia rule Schmehl, Paul L (Nov 05)