10-08-2003 10:54 AM - edited 03-09-2019 05:04 AM
This signature (W32.Nachi Worm), was originally released in S54 (I'm using V4.x). The original release of this signature had the Source and Destination hosts swapped (so that the destination was actually the infected host). Signature release S55 tuned this signature to fix that problem...
My question is:
Why when I previously enabled the 'FlipAddr' with IDM (while I was at S54), did the addresses not swap? (Yes, I saved the config after tuning it :) )
Don
10-14-2003 10:00 AM
Any update on this ?
10-14-2003 10:38 AM
The problem with 2156 was not that the addresses were being tranposed by the sensor. The problem is that the sensor was firing on both the ICMP echo request and the echo reply. When responding to a ping, it is customary to respond with the same payload that was sent to you. The sensor was not properly restricted to only look for echo requests, so it fired on the same payload in the echo reply. Since the packets are so similar looking, it might have appeared to have flipped the addresses. With S55, there is no reason to use the FlipAddr parameter.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide