[Snort-sigs] new Q signature
warchild at ...288...
Mon Feb 10 11:54:09 EST 2003
For a month or more now, I've been getting alerts from Snort's spp_stream4
about the TTL expiring. Whats interesting is that all of these packets were
IP ID of 0
ACK + RST flags set
generally to port 80
TCP sequence number set
TCP payload 'cko'
Window size of 0
The 'cko' stuff smells of Q, but I couldn't find any *definite* proof that
it was. Many people have reported this on various lists, but I have yet to
see answers. Also, many of these people were seeing it coming from a
broadcast address, whereas I'm seeing it from addresses worldwide.
In an effort to get to the bottow of this, I wrote a signature that uses
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Possible Q-Backdoor traffic
(Tag)"; content:"cko"; depth:3; dsize:3; tag:host,100,packets,src;)
I'm now catching a dozen or so machines per hour, but not all of them are
tripping the tag. This means that the sensor never sees any other traffic
from the source. A handful of machines do some innocent web browsing of
machines on the networks I watch, and then terminate the connetion.
Seconds later, the 'cko' packet shows up from that host. Other times, a
host on my network browses a remote site, and eventually terminates the
connection. Seconds later, the 'cko' packet shows up on my doorstep from
the remote site.
I'm curious if anyone else has experienced this and/or knows what is
If you don't want to tag, use this:
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Possible Q-Backdoor
traffic"; content:"cko"; depth:3; dsize:3;)
Any information would be greatly appreciated.
More information about the Snort-sigs