Snort mailing list archives
RE: ICMP PING CyberKit 2.2 Windows
From: <nelsbels () cableone net>
Date: Tue, 19 Aug 2003 22:07:37 -0500
Check this out: (This is from incidents.org) Over the last few hours, sensors detected a remarkable increase in ICMP traffic. At this point, we assume that the traffic is linked to the 'Nachi' worm:http://vil.nai.com/vil/content/v_100559.htm The worm is also known as 'Welchia' ( http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.htm l ) While the investigation is still in progress, we did identify so far the following characteristics: - some of the traffic is spoofed - the data content is all '170' (0xAA) - ICMP echo requests (type 8, code 0) Source-Target correlation fingerprints ICMP Data:http://isc.sans.org/images/icmpfp.png all Data:http://isc.sans.org/images/allfp.png port 135:http://isc.sans.org/images/port135fp.png Sample Packet (target IP obfuscated) 0x0000 4500 005c 2dc8 0000 7901 66a6 4349 919e E..\-...y.f.CI.. 0x0010 xxxx xxxx 0800 3318 0200 6d92 aaaa aaaa ......3...m..... 0x0020 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................ 0x0030 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................ 0x0040 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................ 0x0050 aaaa aaaa aaaa aaaa aaaa aaaa ............ Snort identifies these packets as "ICMP PING CyberKit 2.2 Windows".
So what's the deal with the 72000 odd ICMP PING CyberKit 2.2 Windows alerts I've got in the past few days?? It's frickin crazy... I've read the posts on here, but what is actually causing this and is there anything I can do
at
my perimeter to stop these ICMP messages hitting my network?? It's just annoying and I don't want to remove the rule that picks up on the ICMP PING CyberKit 2.2 Windows!!
Ideas??
------------------------------------------------------- This SF.net email is sponsored by Dice.com. Did you know that Dice has over 25,000 tech jobs available today? From careers in IT to Engineering to Tech Sales, Dice has tech jobs from the best hiring companies. http://www.dice.com/index.epl?rel_code=104 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ICMP PING CyberKit 2.2 Windows Stevo (Aug 19)
- Re: ICMP PING CyberKit 2.2 Windows Jade E. Deane (Aug 19)
- Re: ICMP PING CyberKit 2.2 Windows Paul Schmehl (Aug 19)
- Re: ICMP PING CyberKit 2.2 Windows Glenn Forbes Fleming Larratt (Aug 19)
- RE: ICMP PING CyberKit 2.2 Windows Francis A. Vidal (Aug 20)
- RE: ICMP PING CyberKit 2.2 Windows nelsbels (Aug 20)
- RE: RE: ICMP PING CyberKit 2.2 Windows Eric Greenberg (Aug 20)
- RE: RE: ICMP PING CyberKit 2.2 Windows Mike Feetham (Aug 20)
- RE: RE: ICMP PING CyberKit 2.2 Windows Bryan Irvine (Aug 20)
- Re: RE: ICMP PING CyberKit 2.2 Windows Michael Anderson (Aug 21)
- RE: RE: ICMP PING CyberKit 2.2 Windows Arvind Clemente (Aug 21)
- RE: RE: ICMP PING CyberKit 2.2 Windows Bryan Irvine (Aug 22)
- Re: RE: ICMP PING CyberKit 2.2 Windows Wes Zuber (Aug 25)
- RE: RE: ICMP PING CyberKit 2.2 Windows Francis A. Vidal (Aug 25)
- RE: RE: ICMP PING CyberKit 2.2 Windows Eric Greenberg (Aug 20)
- <Possible follow-ups>
- RE: ICMP PING CyberKit 2.2 Windows Yackley, Matt (Aug 19)
- RE: RE: ICMP PING CyberKit 2.2 Windows L. Christopher Luther (Aug 20)