[Snort-sigs] I need a rule for synk4.c attack

Robert Wagner rwagner at ...447...
Wed Apr 10 07:21:08 EDT 2002


Try running TCPDUMP and capture the entire packet - data and all.  TCPDUMP
-xX
Most of the signature are triggered off of the content within the packet.

-----Original Message-----
From: Ali BASEL [mailto:alib at ...505...]
Sent: Wednesday, April 10, 2002 8:40 AM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] I need a rule for synk4.c attack


Hi,

How can I write a snort (snort 1.8.6) rule for the synk4.c syn flood 
(with spoofed IP) attack program ?

Here is the tcpdump of the attack:(destination port 80 supplied as an 
argument)
cat TCP\:1368-80
04/09-17:05:43.860348 10.10.10.10:1368 -> 10.15.0.27:80
TCP TTL:30 TOS:0x0 ID:29579 IpLen:20 DgmLen:40
1*****S* Seq: 0x28376839  Ack: 0x0  Win: 0xFFFF  TcpLen: 20

I have tried the above rule to detect the attack, but It doesn't 
recognize it (I have changed the sequence number of the original rule)

alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"DDOS shaft synflood"; 
flags: S; seq: 674719801; reference:arachnids,253; 
classtype:attempted-dos; sid:241; rev:2;)

-- 
Regards,

Ali BASEL

Sabanci University
IT Dept.
Tel: +90 216 483 91 94
Http://people.sabanciuniv.edu/~alib


_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list