[Snort-devel] extend rules options to check tcp win size

m.stiefenhofer at ...2049... m.stiefenhofer at ...2049...
Mon Jun 23 04:46:08 EDT 2003


I've read some interesting article about 55808 Trojans 
(http://www.intrusec.com/55808.html). At the moment it seems impossible to 
scan for traffic caused by those trojans, because snort does not feature 
rules that check for a specific TCP win size.

A quick check on our outside network shows a lot of traffic caused by 
these trojans:
tcpdump "tcp[14:2]=55808" (around one packet per second).

Although the specific trojan which has been analyzed seems more like a 
proof of concept, I guess more of those 3rd generation trojans will soon 

Hase someone ever thought about extending snorts capabilities to check the 
win size?

Best regards
Marek Stiefenhofer

More information about the Snort-devel mailing list