[Snort-sigs] Re: anyone have more detail other than window size of 55808 to craft a snort rule for this

James C. Slora Jr. Jim.Slora at ...1599...
Thu Jun 12 10:42:31 EDT 2003


Michael C. Harris wrote


> anyone have more detail?
> other than window size of 55808, so we can create a snort rule?

Here's a shot at a list of the characteristics based on the ones I am
getting.

Constants for all targets and probers:
- SYN
- Len=52
- Window size 55808
- window scale = 2
- MSS=1460
- SACK OK
- no other options

Mostly constant for a particular target - not useful for detecting other
targets:
- Sequence (was 100% constant for a target until two oddballs today)

Completely constant (so far) for a particular target:
- Dest port (not useful for finding other targets)

Variables:
- MSS (always 1460 from primary spoofed probing address, varies for other
sources)
- Source port (particular to a target, constant from primary prober and some
others, but varies according to sources)
- TTL (decrementing from 128, varies by 10 or more from primary spoofed
probing address, varies on each prober, seems to have a relationship to IP
ID.
- ID (constant from primary prober, varies with other probers, seems to have
a relationship with TTL).






More information about the Snort-sigs mailing list