[unisog] SNORT sig for nachi/welchia

Huba Leidenfrost huba at uidaho.edu
Mon Aug 25 21:47:57 GMT 2003

You definitely want to add a "type:8" to the rule otherwise you end up
getting an alert for both the initial ping scan and the reply traffic
from each system up and answering back. So this should be:

alert icmp $HOME_NET any -> $HOME_NET any (msg: "nachi traffic"; \
content: "|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|"; dsize:64; type:8; \ 
classtype:worm-djour; rev:2;)

huba at uidaho.edu

-----Original Message-----
From: Huba Leidenfrost [mailto:huba at uidaho.edu] 
Sent: Sunday, August 24, 2003 4:52 PM
To: unisog at sans.org
Subject: [unisog] SNORT sig for nachi/welchia

Is anyone else using something like this to hunt for nachi/welchia
infected systems?  Yes it generates a lot of hits.  Could whittle the
number down with a "type:8" or something like that but this is working
for us.  If anyone has some variation that works better please share.

alert icmp $HOME_NET any -> $HOME_NET any (msg: "nachi traffic"; \
content: "|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|"; dsize:64; \
classtype:worm-djour; rev:1;)

Also I'm interested in knowing how many people have employed null
routing (route-map) of nachi traffic on their routers?  We're blocking
certain ICMP traffic from our more prolific subnets to the rest of our
networks however using a route-map sounds like the way to go instead.

huba at uidaho.edu

More information about the unisog mailing list