[Snort-sigs] rules to detect possible threats by the dll's called, Invalid fragment+TCP flags, Adobe Acrobat Reader XFDF possible buffer overflow

Judy Novak judy.novak at ...435...
Mon Jul 26 04:41:07 EDT 2004


Before determining other means of detection, I'm not quite sure what you are
trying to find with this rule.  It looks like you want a packet with no 
with an acknowledgement number of 0, the more fragments bit not set, flags
bits not ACK and PUSH (ignore ECN bits settings) and a TCP window size of
2048.  Is this correct?

Does this represent some particular malware?  The arachnids reference in 
the rule
is for an nmap ICMP ping packet that doesn't seem to apply to the rule.  
Also, what
makes this fragmented if the more fragments flag is not set?  Fragmented 
will have this bit set and/or a non-zero fragment offset.


>>>alert tcp $EXTERNAL_NET any -> $HOME_NET any
>>>(msg:"Invalid fragment+TCP flags"; dsize:0; ack:0;
>>>fragbits:!M; flags:!AP,12; window:2048;
>>>reference:arachnids,162; classtype:bad-unknown;
>>>sid:99999; rev:1;)
>>Question for the sourcefire folks, is this type of
>>packet not detected 
>>by existing means? And is flags the way to annotate
>>it, or should it be 
>>something new? I understand flags is obsoloted, but
>>can't find 
>>documentation on a better way. Or is that just flags
>>for flow?
>Which flags are legal in a fragmented packet? How does
>it work in OS's other than Linux and Windows? This is
>a hot issue and it will create a long debate. Let's
>hear from the gurus.

More information about the Snort-sigs mailing list