[Snort-sigs] Re: anyone have more detail other than window size of 55808 to craft a snort rule for this
James C. Slora Jr.
Jim.Slora at ...1599...
Thu Jun 12 10:42:31 EDT 2003
Michael C. Harris wrote
> anyone have more detail?
> other than window size of 55808, so we can create a snort rule?
Here's a shot at a list of the characteristics based on the ones I am
Constants for all targets and probers:
- Window size 55808
- window scale = 2
- SACK OK
- no other options
Mostly constant for a particular target - not useful for detecting other
- Sequence (was 100% constant for a target until two oddballs today)
Completely constant (so far) for a particular target:
- Dest port (not useful for finding other targets)
- MSS (always 1460 from primary spoofed probing address, varies for other
- Source port (particular to a target, constant from primary prober and some
others, but varies according to sources)
- TTL (decrementing from 128, varies by 10 or more from primary spoofed
probing address, varies on each prober, seems to have a relationship to IP
- ID (constant from primary prober, varies with other probers, seems to have
a relationship with TTL).
More information about the Snort-sigs