[Snort-sigs] new Q signature

Hall, Andrew (DPRS) AndrewR.hall at ...1277...
Mon Feb 10 13:18:07 EST 2003


If you are seeing something the TTL decement all the way to 1 then you
probably have a routing loop.  Ie are the destinations actually used in
your address space?  If not, what can happen is that your border router
will route the address into your network, while your next device inside
the border router will route it back by its default route.

Just something to check.


-----Original Message-----
From: Jon [mailto:warchild at ...288...] 
Sent: Tuesday, 11 February 2003 6:53 AM
To: snort-sigs at lists.sourceforge.net
Cc: focus-ids at ...113...
Subject: [Snort-sigs] new Q signature


For a month or more now, I've been getting alerts from Snort's
about the TTL expiring.  Whats interesting is that all of these packets
were nearly identical:

IP ID of 0
ACK + RST flags set
generally to port 80
TCP sequence number set
TCP payload 'cko'
Window size of 0

The 'cko' stuff smells of Q, but I couldn't find any *definite* proof
that it was.  Many people have reported this on various lists, but I
have yet to see answers.  Also, many of these people were seeing it
coming from a broadcast address, whereas I'm seeing it from addresses

In an effort to get to the bottow of this, I wrote a signature that uses

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Possible Q-Backdoor
traffic (Tag)"; content:"cko"; depth:3; dsize:3;

I'm now catching a dozen or so machines per hour, but not all of them
are tripping the tag.  This means that the sensor never sees any other
traffic from the source.  A handful of machines do some innocent web
browsing of machines on the networks I watch, and then terminate the
connetion. Seconds later, the 'cko' packet shows up from that host.
Other times, a host on my network browses a remote site, and eventually
terminates the connection.  Seconds later, the 'cko' packet shows up on
my doorstep from the remote site.

I'm curious if anyone else has experienced this and/or knows what is
causing it.

If you don't want to tag, use this:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Possible Q-Backdoor
traffic";  content:"cko"; depth:3; dsize:3;)

Any information would be greatly appreciated.



This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list