[Snort-sigs] I need a rule for synk4.c attack

Ali BASEL alib at ...505...
Thu Apr 11 04:09:18 EDT 2002


Hi,

I have dumped the packet with tcpdum -xX:
17:38:26.440348 10.10.10.10.1322 > 10.15.0.27.http: SW 
674719801:674719801(0) win 65535
0x0000   4500 0028 8ea8 0000 1e06 efea 0a0a 0a0a        E..(............
0x0010   0a0f 001b 052a 0050 2837 6839 0000 0000        .....*.P(7h9....
0x0020   5082 ffff fb3a 0000                            P....:..

And I have studied the source code of the program; there is no data at 
all. Then I have made this change in the source code:
  th.fin=1 (tcp header fin bit)
to send FIN bit also, and executed the program.
Here is the tcpdump:
12:27:16.970348 10.10.10.10.sa-msg-port > 10.15.0.27.http: SFW 
674719801:674719801(0) win 65535
0x0000   4500 0028 5cfa 0000 1e06 2199 0a0a 0a0a        E..(\.....!.....
0x0010   0a0f 001b 066e 0050 2837 6839 0000 0000        .....n.P(7h9....
0x0020   5183 ffff f8f5 0000                            Q.......

And snort see it as a portscan:
SNORT-INTRUSION-DETECTION-ALERT-MIB::sidaAlertMsg.7.26 spp_portscan: 
portscan status from 10.10.10.10: 1 connections across 1 hosts: TCP(1), 
UDP(0)
SNORT-INTRUSION-DETECTION-ALERT-MIB::sidaAlertSrcAddress.7.27 "10.10.10.10"
SNORT-INTRUSION-DETECTION-ALERT-MIB::sidaAlertScanDuration.7.27 495
SNORT-INTRUSION-DETECTION-ALERT-MIB::sidaAlertScannedHosts.7.27 1
SNORT-INTRUSION-DETECTION-ALERT-MIB::sidaAlertTCPScanCount.7.27 1
SNORT-INTRUSION-DETECTION-ALERT-MIB::sidaAlertUDPScanCount.7.27 0
SNORT-INTRUSION-DETECTION-ALERT-MIB::sidaAlertEventStatus.7.27 inProgress

But, I wonder why snort can not detect it when there is no FIN bit ?

What should I do ?

P.S.: If you want, I can send the program also (synk4.c).

Thanks.
Ali

Robert Wagner wrote:

> Try running TCPDUMP and capture the entire packet - data and all.  TCPDUMP



> -xX
> Most of the signature are triggered off of the content within the packet.
> 
> -----Original Message-----
> From: Ali BASEL [mailto:alib at ...505...]
> Sent: Wednesday, April 10, 2002 8:40 AM
> To: snort-sigs at lists.sourceforge.net
> Subject: [Snort-sigs] I need a rule for synk4.c attack
> 
> 
> Hi,
> 
> How can I write a snort (snort 1.8.6) rule for the synk4.c syn flood 
> (with spoofed IP) attack program ?
> 
> Here is the tcpdump of the attack:(destination port 80 supplied as an 
> argument)
> cat TCP\:1368-80
> 04/09-17:05:43.860348 10.10.10.10:1368 -> 10.15.0.27:80
> TCP TTL:30 TOS:0x0 ID:29579 IpLen:20 DgmLen:40
> 1*****S* Seq: 0x28376839  Ack: 0x0  Win: 0xFFFF  TcpLen: 20
> 
> I have tried the above rule to detect the attack, but It doesn't 
> recognize it (I have changed the sequence number of the original rule)
> 
> alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"DDOS shaft synflood"; 
> flags: S; seq: 674719801; reference:arachnids,253; 
> classtype:attempted-dos; sid:241; rev:2;)
> 
> 

-- 
Regards,

Ali BASEL

Sabanci University
IT Dept.
Tel: +90 216 483 91 94
Http://people.sabanciuniv.edu/~alib





More information about the Snort-sigs mailing list