[Snort-sigs] I need a rule for synk4.c attack
alib at ...505...
Fri Apr 12 04:47:09 EDT 2002
Robert Wagner wrote:
> Try creating a basic snort signature like alert tcp any any -> any 80
I think, you couldn't have possibility to try the program.
> alert tcp any any -> $HOME_NET 80 (msg:"synk4.c attack"; content:
"|50 82 ff
> ff fb 3a 00 00|"; tag: session, 300, packets;)
I have tried your rule (I have shortened the content: "|00 50 82 ff
ff|"; because the remaining is changing also),
unfornately it can't recognize the attack !
> I believe most of what you are showing below is the TCP header. 0a0f
> translates to 10.15.0.27 There are some port and checksum information
> following. I am assuming this is a TCP packet.
Yes, of course.
Meanwhile, when the synk4 program atacks, snort can detect for example
"TELNET login incorrect" signature to the same destination.
I wonder, does snort require a reply packet, in order to check the
content of the first packet ? if not, why it can not recognize these
easy packets ?
And another question: tbe content in a rule, can be the headers of the
packet, or the content must be in the data portion of the packet ?
(Is there any documentation which explain how snort processes packet
> -----Original Message-----
> From: Ali BASEL [mailto:alib at ...505...]
> Sent: Thursday, April 11, 2002 6:07 AM
> To: Robert Wagner
> Cc: snort-sigs at lists.sourceforge.net
> Subject: Re: [Snort-sigs] I need a rule for synk4.c attack
> I have dumped the packet with tcpdum -xX:
> 17:38:26.440348 10.10.10.10.1322 > 10.15.0.27.http: SW
> 674719801:674719801(0) win 65535
> 0x0000 4500 0028 8ea8 0000 1e06 efea 0a0a 0a0a E..(............
> 0x0010 0a0f 001b 052a 0050 2837 6839 0000 0000 .....*.P(7h9....
> 0x0020 5082 ffff fb3a 0000 P....:..
> And I have studied the source code of the program; there is no data at
> all. Then I have made this change in the source code:
> th.fin=1 (tcp header fin bit)
> to send FIN bit also, and executed the program.
> Here is the tcpdump:
> 12:27:16.970348 10.10.10.10.sa-msg-port > 10.15.0.27.http: SFW
> 674719801:674719801(0) win 65535
> 0x0000 4500 0028 5cfa 0000 1e06 2199 0a0a 0a0a E..(\.....!.....
> 0x0010 0a0f 001b 066e 0050 2837 6839 0000 0000 .....n.P(7h9....
> 0x0020 5183 ffff f8f5 0000 Q.......
> And snort see it as a portscan:
> SNORT-INTRUSION-DETECTION-ALERT-MIB::sidaAlertMsg.7.26 spp_portscan:
> portscan status from 10.10.10.10: 1 connections across 1 hosts: TCP(1),
> SNORT-INTRUSION-DETECTION-ALERT-MIB::sidaAlertScanDuration.7.27 495
> SNORT-INTRUSION-DETECTION-ALERT-MIB::sidaAlertScannedHosts.7.27 1
> SNORT-INTRUSION-DETECTION-ALERT-MIB::sidaAlertTCPScanCount.7.27 1
> SNORT-INTRUSION-DETECTION-ALERT-MIB::sidaAlertUDPScanCount.7.27 0
> SNORT-INTRUSION-DETECTION-ALERT-MIB::sidaAlertEventStatus.7.27 inProgress
> But, I wonder why snort can not detect it when there is no FIN bit ?
> What should I do ?
> P.S.: If you want, I can send the program also (synk4.c).
> Robert Wagner wrote:
>>Try running TCPDUMP and capture the entire packet - data and all.
>>Most of the signature are triggered off of the content within the packet.
>>From: Ali BASEL [mailto:alib at ...505...]
>>Sent: Wednesday, April 10, 2002 8:40 AM
>>To: snort-sigs at lists.sourceforge.net
>>Subject: [Snort-sigs] I need a rule for synk4.c attack
>>How can I write a snort (snort 1.8.6) rule for the synk4.c syn flood
>>(with spoofed IP) attack program ?
>>Here is the tcpdump of the attack:(destination port 80 supplied as an
>>04/09-17:05:43.860348 10.10.10.10:1368 -> 10.15.0.27:80
>>TCP TTL:30 TOS:0x0 ID:29579 IpLen:20 DgmLen:40
>>1*****S* Seq: 0x28376839 Ack: 0x0 Win: 0xFFFF TcpLen: 20
>>I have tried the above rule to detect the attack, but It doesn't
>>recognize it (I have changed the sequence number of the original rule)
>>alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"DDOS shaft synflood";
>>flags: S; seq: 674719801; reference:arachnids,253;
>>classtype:attempted-dos; sid:241; rev:2;)
Tel: +90 216 483 91 94
More information about the Snort-sigs