[Dshield] Cyberkit 2.2 pings.... anyone else getting them?
Johannes B. Ullrich
jullrich at sans.org
Tue Dec 23 12:18:14 GMT 2003
Snort's rule for "Cyberkit 2.2" matches the pings sent by the
Nachia worm. No surprise if you get flooded by them, in particular
if you have an infected host in your proximity.
If you don't need to reply to 'ICMP Echo' requests, just drop
them. Other than that, there is not much you can do.
Other than the bandwidth they are using, the Nachia pings by
themselves are not dangerous. By not responding to ICMP Echo
requests, you will at least safe the bandwidth used for the response.
However, a lot of network uptime monitors use ICMP echo, so you may need
to apply some exceptions, or apply a more fine grained firewall rule.
As far as snort is concerned: There is probably not much point in
logging these events, unless you use them to track down infected systems
under your control.
On Mon, 2003-12-22 at 19:10, CLE47 at aol.com wrote:
> Has anyone figured out what the cyberkit 2.2 is and how to block them???
> Please respond.
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
CTO SANS Internet Storm Center http://isc.sans.org
phone: (617) 786 1563
fax: (617) 786 1550 jullrich at sans.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20031223/22f0cae3/attachment.bin
More information about the list