[Snort-sigs] RE: anyone have more detail other than window size of 55808 to craft a snort rule for this
Brian.Coyle at ...904...
Thu Jun 12 10:14:24 EDT 2003
Here's my first crack at a snort sig. It seems to be working fine so far...
alert tcp any any -> any any (msg:"WATCHLIST - 20030613-window size 0xDA00";
flags: S+; window: 55808; classtype:bad-unknown; sid:9999999; rev:1;
Be sure to adjust the SID to match your standards.
-- Brian, GCIA
From: James C. Slora Jr. [mailto:Jim.Slora at ...1599...]
Sent: Wednesday, June 11, 2003 16:54
To: Harris, Michael C.; intrusions at ...473...;
snort-sigs at lists.sourceforge.net
Subject: Re: anyone have more detail other than window size of 55808 to
craft a snort rule for this
Michael C. Harris wrote
> anyone have more detail?
> other than window size of 55808, so we can create a snort rule?
Here's a shot at a list of the characteristics based on the ones I am
Constants for all targets and probers:
- Window size 55808
- window scale = 2
- SACK OK
- no other options
Mostly constant for a particular target - not useful for detecting other
- Sequence (was 100% constant for a target until two oddballs today)
Completely constant (so far) for a particular target:
- Dest port (not useful for finding other targets)
- MSS (always 1460 from primary spoofed probing address, varies for other
- Source port (particular to a target, constant from primary prober and some
others, but varies according to sources)
- TTL (decrementing from 128, varies by 10 or more from primary spoofed
probing address, varies on each prober, seems to have a relationship to IP
- ID (constant from primary prober, varies with other probers, seems to have
a relationship with TTL).
More information about the Snort-sigs