[unisog] SNORT sig for nachi/welchia

Phil.Rodrigues at uconn.edu Phil.Rodrigues at uconn.edu
Mon Aug 25 12:25:38 GMT 2003


We had good success implementing the route maps Cisco suggested.  It does 
not let the tracert command work from Windows (as it apparently uses 92 
byte packets), but normal "pings" (request/reply) work from Windows and 
Linux so WhatsUp, etc work fine.  Traceroute on Linux works as it uses 
UDP.

It isolated each residential network well enough from our core so the 
increased Welchia traffic we saw after 11,000 students moved in this 
weekend had no negative effect on the main campus or the Internet. 
Residential networks are isolated from each other so the infections can 
not spread (along with the TFTP block) from complex to complex.  Most of 
the residential complexes are doing pretty well, but a few are suffering 
from degraded performance.  But they all continue to operate.

After hearing horror stories from some others schools this feel like a 
huge success.

Phil

=======================================
Philip A. Rodrigues
Network Analyst, UITS
University of Connecticut

email: phil.rodrigues at uconn.edu
phone: 860.486.3743
fax: 860.486.6580
web: http://www.security.uconn.edu
=======================================





Huba Leidenfrost <huba at uidaho.edu>
08/24/2003 07:52 PM
Please respond to huba

 
        To:     unisog at sans.org
        cc: 
        Subject:        [unisog] SNORT sig for nachi/welchia


Is anyone else using something like this to hunt for nachi/welchia
infected systems?  Yes it generates a lot of hits.  Could whittle the
number down with a "type:8" or something like that but this is working
for us.  If anyone has some variation that works better please share.

alert icmp $HOME_NET any -> $HOME_NET any (msg: "nachi traffic"; \
content: "|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|"; dsize:64; \
classtype:worm-djour; rev:1;)

Also I'm interested in knowing how many people have employed null
routing (route-map) of nachi traffic on their routers?  We're blocking
certain ICMP traffic from our more prolific subnets to the rest of our
networks however using a route-map sounds like the way to go instead.

huba at uidaho.edu







More information about the unisog mailing list