Snort mailing list archives
Re: SUMMARY, CyberKit 2.2 Ping, its driven me Nuts..
From: "Paul Schmehl" <pauls () utdallas edu>
Date: Sat, 3 Jan 2004 19:09:53 -0600
----- Original Message ----- From: "Jim Brown" <jpb () sixshooter v6 thrupoint net> To: <snort-users () lists sourceforge net> Sent: Saturday, January 03, 2004 6:10 PM Subject: Re: [Snort-users] SUMMARY, CyberKit 2.2 Ping, its driven me Nuts..
I'm curious about your threshold count of 1000 per minute. I've only seen activity on the order of 12-15 messages/second on a 'blast' with several seconds between blasts. This wouldn't get me to 1000 in one minute for most minutes.
It's an arbitrary number chosen by me to ensure that it would eliminate traffic from boxes that are not infected with Nachi. The Nachi packet is identical to a Windows ping or traceroute (tracert) because Nachi uses the built-in program that comes with Windows. So, if you're looking for Nachi and *only* Nachi, you want to eliminate any other causes (at least I do.)
What are your stats? Are you seeing more than 15 messages/second?
A box infected with Nachi will generate between 100,000 and 250,000 alerts an hour without thresholding using this rule. Simple math tells you that an infected machine should generate a minimum of 1667 alerts per minute. So I set the count to 1000 for fudge factor. I've had *plenty* of experience with Nachi infections, so I'm quite familiar with its behavior. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer University of Texas at Dallas http://www.utdallas.edu/ir/ ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: SUMMARY, CyberKit 2.2 Ping, its driven me Nuts.. Brice B (Dec 31)
- Re: SUMMARY, CyberKit 2.2 Ping, its driven me Nuts.. Jeff Kell (Dec 31)
- Re: SUMMARY, CyberKit 2.2 Ping, its driven me Nuts.. Jeff Kell (Dec 31)
- Re: SUMMARY, CyberKit 2.2 Ping, its driven me Nuts.. Paul Schmehl (Dec 31)
- Re: SUMMARY, CyberKit 2.2 Ping, its driven me Nuts.. Jim Brown (Jan 03)
- Re: SUMMARY, CyberKit 2.2 Ping, its driven me Nuts.. Paul Schmehl (Jan 03)
- Re: SUMMARY, CyberKit 2.2 Ping, its driven me Nuts.. Jeff Kell (Dec 31)
- RE: SUMMARY, CyberKit 2.2 Ping, its driven me Nuts.. Chris N (Jan 02)
- <Possible follow-ups>
- Re: SUMMARY, CyberKit 2.2 Ping, its driven me Nuts.. Simon Smith (Dec 31)