Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
356
Views
0
Helpful
3
Replies

Problem with Sig ID 2156:Nachi Worm ICMP Echo Request?

jballay
Level 1
Level 1

‎10-01-2003 10:10 AM - edited ‎03-09-2019 05:00 AM

We're experiencing a problem with Sig ID 2156, the Nachi Worm ICMP Echo Request signature. The problem we're seeing is once the signature fires, the destination IP address in the alarm is actually the machine that's infected with Nachi and the source addresses are the machines it's trying to infect. At the same time, we're also getting alarms that show the infected machine as the source address.

Has anyone else reported this to Cisco? If there really is a problem with the signature, is Cisco working on a fix?

Labels:
0 Helpful
3 Replies 3

DSmirnov
Level 1
Level 1

‎10-01-2003 10:15 AM

Saw exactly the same - almost got a heart attack after few hundrends alerts initiated from our environment :)

Disabled sig. 2156 immediately. Yep, Cisco probably has to fix the signature - look like 2156 reacts on the same payload in ICMP port unreachable or something like this...

0 Helpful

garyprice
Level 1
Level 1
In response to DSmirnov

‎10-01-2003 12:58 PM

better yet. when capturing packets and snooping network traffic in relation to this virus the icmp traffic is backwards. The infected system sends out and echo-reply (8) and the target system sends (0). It is my understanding that normall network pings are 0 to 8 (icmp type) not 8 to 0....it appears in sig 2100 Net sweep echo.... that is what I used to help locate infect machines.....gp

0 Helpful

anthall
Level 1
Level 1

‎10-01-2003 01:35 PM

This signature will be noisy for a 3.1 environment. This is due to a couple of limitations with the 3.1 code, 4.0 will not suffer from these problems:

SummaryKey: Without the summary key feature of 4.1 it isn't possible to summerize all of the alarms from one nachi host. Each and every time an ICMP is sent an alarm fires (that is a lot of alarms).

IcmpType(ServicePorts parameter): 4.1 allows for a specific ICMP type (by using the ServicePorts parameter) for the STRING.ICMP engine. Setting this to a value of 8 prevents getting alarms from the machines that respond to the nachi ping.

In short, 4.1 removes these problems if ServicePorts is tuned to 8 for signature 2156 (this will be done in S55).

0 Helpful
Customers Also Viewed These Support Documents