[Snort-sigs] RE: anyone have more detail other than window size of 55808 to c raft a snort rule for this

Smith, Donald Donald.Smith at ...89...
Tue Jun 17 05:48:17 EDT 2003


No one has reported more then the syn flag.
Why are you using S+? ( I think that's a bit flag comparison so may not cost
anything extra just wondering)

Also for the snort sig list. I would think the hex DA00 would be a faster
match then
the decimal 55808 but that is just based on the fact that you probably have
to convert the window
from hex to decimal to do a decimal test.


Donald.Smith at ...89... GCIA
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC
When packets collide the controllers cease transmission AND wait a random
time before retransmission (mostly)!

> -----Original Message-----
> From: Coyle, Brian [mailto:Brian.Coyle at ...904...]
> Sent: Thursday, June 12, 2003 11:12 AM
> To: intrusions at ...473...
> Cc: snort-sigs at lists.sourceforge.net
> Subject: RE: anyone have more detail other than window size 
> of 55808 to
> craft a snort rule for this
> 
> 
> Here's my first crack at a snort sig.  It seems to be working 
> fine so far...
> 
>   alert tcp any any -> any any (msg:"WATCHLIST - 
> 20030613-window size 0xDA00"; 
>   flags: S+; window: 55808; classtype:bad-unknown; 
> sid:9999999; rev:1; 
>   
> reference:url,cert.uni-stuttgart.de/archive/intrusions/2003/06
> /msg00146.html; 
>   
> reference:url,http://www.gcn.com/vol1_no1/daily-updates/22371-1.html;
>   
> reference:url,www.securityfocus.com/archive/75/324348/2003-06-
> 09/2003-06-15/0;)
> 
> Be sure to adjust the SID to match your standards.
> 
> 
>                                     -- Brian, GCIA
> 
> 
> 
> -----Original Message-----
> From: James C. Slora Jr. [mailto:Jim.Slora at ...1599...]
> Sent: Wednesday, June 11, 2003 16:54
> To: Harris, Michael C.; intrusions at ...473...;
> snort-sigs at lists.sourceforge.net
> Subject: Re: anyone have more detail other than window size 
> of 55808 to
> craft a snort rule for this
> 
> 
> Michael C. Harris wrote
> 
> 
> > anyone have more detail?
> > other than window size of 55808, so we can create a snort rule?
> 
> Here's a shot at a list of the characteristics based on the ones I am
> getting.
> 
> Constants for all targets and probers:
> - SYN
> - Len=52
> - Window size 55808
> - window scale = 2
> - MSS=1460
> - SACK OK
> - no other options
> 
> Mostly constant for a particular target - not useful for 
> detecting other
> targets:
> - Sequence (was 100% constant for a target until two oddballs today)
> 
> Completely constant (so far) for a particular target:
> - Dest port (not useful for finding other targets)
> 
> Variables:
> - MSS (always 1460 from primary spoofed probing address, 
> varies for other
> sources)
> - Source port (particular to a target, constant from primary 
> prober and some
> others, but varies according to sources)
> - TTL (decrementing from 128, varies by 10 or more from 
> primary spoofed
> probing address, varies on each prober, seems to have a 
> relationship to IP
> ID.
> - ID (constant from primary prober, varies with other 
> probers, seems to have
> a relationship with TTL).
> 
> 




More information about the Snort-sigs mailing list