[Snort-sigs] False positive for 230 - DDOS shaft client to handler

Jens-Harald.Johansen at ...2457... Jens-Harald.Johansen at ...2457...
Tue Jun 1 02:10:05 EDT 2004


Rule:
DDOS shaft client to handler
--
Sid:
230
--
Summary:

--
Impact:

--
Detailed Information:

--
Affected Systems:

--
Attack Scenarios:

--
Ease of Attack:

--
False Positives:
This rule will also fire if you're running a proxy server which uses port
20432 as its session source (only confirmed for HTTP since we're not
running FTP through proxies yet).
--
False Negatives:

--
Corrective Action:

--
Contributors:

--
Additional References:


DATA:

10:12:49.397677 IP 62.23.10.253.80 > 256.256.256.256.20432: P
2829932091:2829932555(464) ack 1423808515 win 64815 <nop,nop,timestamp
12875615 1601259>
0x0000   4500 0204 dc77 4000 7006 5302 3e17 0afd E....w at ...2524...>...
0x0010   ffff ffff 0050 4fd0 a8ad 563b 54dd 9803 .....PO...V;T...
0x0020   8018 fd2f 7276 0000 0101 080a 00c4 775f .../rv........w_
0x0030   0018 6eeb 4854 5450 2f31 2e31 2032 3030 ..n.HTTP/1.1.200
0x0040   204f 4b0d 0a53 6572 7665 723a 204d 6963 .OK..Server:.Mic
0x0050   726f 736f 6674 2d49 4953 2f35 2e30 0d0a rosoft-IIS/5.0..
0x0060   4461 7465 3a20 5475 652c 2030 3120 4a75 Date:.Tue,.01.Ju
0x0070   6e20 3230 3034 2030 383a 3135 3a34 3020 n.2004.08:15:40.
0x0080   474d 540d 0a43 6f6e 6e65 6374 696f 6e3a GMT..Connection:
0x0090   2063 6c6f 7365 0d0a 5033 503a 20ff ffff .close..P3P:....
      <snip>
0x0100   ffff ffff 0d0a 5072 6167 6d61 3a20 6e6f ......Pragma:.no
0x0110   2d63 6163 6865 0d0a 436f 6e74 656e 742d -cache..Content-
0x0120   5479 7065 3a20 7465 7874 2f68 746d 6c0d Type:.text/html.
0x0130   0a45 7870 6972 6573 3a20 4d6f 6e2c 2033 .Expires:.Mon,.3
0x0140   3120 4465 6320 3139 3739 2032 333a 3030 1.Dec.1979.23:00
0x0150   3a30 3020 474d 540d 0a53 6574 2d43 6f6f :00.GMT..Set-Coo
0x0160   6b69 653a 2076 733d 3137 373d 3734 3530 kie:.vs=177=7450
0x0170   3935 3b20 7061 7468 3d2f 0d0a 5365 742d 95;.path=/..Set-
0x0180   436f 6f6b 6965 3a20 7069 643d 3236 3231 Cookie:.pid=2621
0x0190   3433 3337 3b20 6578 7069 7265 733d 4d6f 4337;.expires=Mo
0x01a0   6e2c 2032 372d 4d61 792d 3230 3234 2030 n,.27-May-2024.0
0x01b0   383a 3135 3a34 3020 474d 543b 2070 6174 8:15:40.GMT;.pat
0x01c0   683d 2f0d 0a43 6163 6865 2d63 6f6e 7472 h=/..Cache-contr
0x01d0   6f6c 3a20 7072 6976 6174 652c 206e 6f2d ol:.private,.no-
0x01e0   6361 6368 652c 206e 6f2d 7374 6f72 652c cache,.no-store,
0x01f0   206d 7573 742d 7265 7661 6c69 6461 7465 .must-revalidate
0x0200   0d0a 0d0a                               ....
10:12:49.402324 IP 62.23.10.253.80 > 256.256.256.256.20432: FP 464:687(223)
ack 1 win 64815 <nop,nop,timestamp 12875615 1601259>
0x0000   4500 0113 dc7a 4000 7006 53f0 3e17 0afd E....z at ...2524...>...
0x0010   ffff ffff 0050 4fd0 a8ad 580b 54dd 9803 .....PO...X.T...
0x0020   8019 fd2f c739 0000 0101 080a 00c4 775f .../.9........w_
0x0030   0018 6eeb 0d0a 3c68 746d 6c3e 3c68 6561 ..n...<html><hea
0x0040   643e 3c74 6974 6c65 3e3c 2f74 6974 6c65 d><title></title
0x0050   3e3c 2f68 6561 643e 3c62 6f64 793e 0d0a ></head><body>..
0x0060   3c73 6372 6970 7420 6c61 6e67 7561 6765 <script.language
0x0070   3d4a 6176 6173 6372 6970 743e 0d0a 0d0a =Javascript>....
0x0080   0d0a 0d0a 0d0a 646f 6375 6d65 6e74 2e77 ......document.w
0x0090   7269 7465 2827 3c69 6d67 2073 7263 3d68 rite('<img.src=h
0x00a0   7474 703a 2f2f 7777 772e 736d 6172 7461 ttp://www.smarta
0x00b0   6473 6572 7665 722e 636f 6d2f 696d 6167 dserver.com/imag
0x00c0   6573 2f70 6978 656c 2e67 6966 2077 6964 es/pixel.gif.wid
0x00d0   7468 3d31 2068 6569 6768 743d 3120 626f th=1.height=1.bo
0x00e0   7264 6572 3d30 3e5c 725c 6e27 293b 0d0a rder=0>\r\n');..
0x00f0   0d0a 0d0a 0d0a 0d0a 3c2f 7363 7269 7074 ........</script
0x0100   3e0d 0a3c 2f62 6f64 793e 3c2f 6874 6d6c >..</body></html
0x0110   3e0d 0a                                 >..


Jens-Harald Johansen
Hydro IS Partner
Int: 138 - 8808
Tlf: +47 22 53 88 08
Mob: +47 934 45 413

There are 10 kinds of people in the world: Those who understand binary and
those who don't...


-------------- next part --------------


***********************************************************************
NOTICE: This e-mail transmission, and any documents, files or previous
e-mail messages attached to it, may contain confidential or privileged
information. If you are not the intended recipient, or a person
responsible for delivering it to the intended recipient, you are
hereby notified that any disclosure, copying, distribution or use of
any of the information contained in or attached to this message is
STRICTLY PROHIBITED. If you have received this transmission in error,
please immediately notify the sender and delete the e-mail and attached
documents. Thank you.
***********************************************************************



More information about the Snort-sigs mailing list