[Snort-sigs] RE: False positives for sid:230

Matthew Watchinski mwatchinski at ...435...
Thu May 20 07:05:05 EDT 2004

It's probably best to get a copy of shaft and see if it has any difficult to 
change characteristics.  Recompiling to remove the sequence number problem is 
probably a really simple change, while changing the communication messages is 
probably more difficult.

We've added this to our bug queue over here at Sourcefire and will be addressing 
this shortly.

It has been a long time since this was a prevelent DDoS client anyone happen to 
have an archived pcap of this thing in action?


Brian King wrote:
> Eric,
> I have been getting tons of false positives for that signature as well.
> What about using the TCP sequence number to identify it, since it appears to
> be set at: 0x28374839 and/or the string "login" at the start of the shaft
> session?  I would probably prefer the latter.
> Something like this...(is the sequence number supposed to be hex for this
> rule?)
> alert tcp $HOME_NET 20432 -> $EXTERNAL_NET any (msg:"DDOS shaft client to 
> handler"; seq: 674711609; flow:established; reference:arachnids,254; 
> classtype:attempted-dos; sid:230; rev:2;)
> Or 
> alert tcp $HOME_NET 20432 -> $EXTERNAL_NET any (msg:"DDOS shaft client login
> to 
> handler"; content: "login:"; flow:established; reference:arachnids,254; 
> classtype:attempted-dos; sid:230; rev:2;)
> I chose to use the response from the handler, since that is relatively
> known.  I don't have a packet dump to determine the offset, but I am sure
> that could get rid of most of the false positives.  
> Brian
> --__--__--
> Message: 2
> Date: Tue, 18 May 2004 10:42:58 -0700
> To: snort-sigs at lists.sourceforge.net
> From: Eric Watkins <watkinse at ...2496...>
> Subject: [Snort-sigs] False positives for sid:230
> Hello,
> My system seems to generate quite a few false positives based on the DDOS 
> sig 230. After a bit, valid https traffic ends up on a high port and 
> triggers this sid.
> alert tcp $EXTERNAL_NET any -> $HOME_NET 20432 (msg:"DDOS shaft client to 
> handler"; flow:established; reference:arachnids,254; 
> classtype:attempted-dos; sid:230; rev:2;)
> Looking here it appears there are some strings that could be triggered on: 
> http://security.royans.net/info/posts/bugtraq_ddos3.shtml
> Is there some way to make this sid more specific to the actual traffic data 
> rather than just a port connection?
> Thanks,
> Eric
> -------------------------------------------------------
> This SF.Net email is sponsored by: SourceForge.net Broadband
> Sign-up now for SourceForge Broadband and get the fastest
> 6.0/768 connection for only $19.95/mo for the first 3 months!
> http://ads.osdn.com/?ad_id%62&alloc_ida84&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

More information about the Snort-sigs mailing list