[Snort-sigs] I need a rule for synk4.c attack

Burak DAYIOGLU dayioglu at ...508...
Wed Apr 10 08:33:10 EDT 2002


Hello,
For the below packet, the rule you have hacked up from 241/2 is correct. 
It works for me here.

I checked the source for an alternative signature but it seems that the 
TCP seq is the only
candidate.

regards,
-bd

Ali BASEL wrote:

> How can I write a snort (snort 1.8.6) rule for the synk4.c syn flood 
> (with spoofed IP) attack program ?
> Here is the tcpdump of the attack:(destination port 80 supplied as an 
> argument)
> cat TCP\:1368-80
> 04/09-17:05:43.860348 10.10.10.10:1368 -> 10.15.0.27:80
> TCP TTL:30 TOS:0x0 ID:29579 IpLen:20 DgmLen:40
> 1*****S* Seq: 0x28376839  Ack: 0x0  Win: 0xFFFF  TcpLen: 20
>
> I have tried the above rule to detect the attack, but It doesn't 
> recognize it (I have changed the sequence number of the original rule)
>
> alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"DDOS shaft 
> synflood"; flags: S; seq: 674719801; reference:arachnids,253; 
> classtype:attempted-dos; sid:241; rev:2;)


-- 
Burak DAYIOGLU
Phone: +90 312 2103379      Fax: +90 312 2103333
http://www.dayioglu.net        ICQ UIN: 72276975







More information about the Snort-sigs mailing list