[Snort-sigs] RE: False positives for sid:230

Brian King bking at ...2422...
Thu May 20 08:27:06 EDT 2004


Matthew,
Unfortunately, I have no clues as to where to get the source code.  I agree
that that the sequence number should be an easy to change attribute. Seems
to me that the port number would be relatively easy to change also, since
the shaft handler uses plain old telnet as a client (as opposed to having to
recompile the clients as well).  At least we could get rid of most of the
false positives by using other attributes to corroborate the signature, such
as the login prompt.  Provides a good chance for me to learn about writing
Snort sigs.  About the pcap info, has anyone written the authors of the
shaft analysis asking for it?  I don't want to innundate them with requests.

Thanks,
Brian

-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Matthew
Watchinski
Sent: Thursday, May 20, 2004 10:05 AM
To: King, Brian
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] RE: False positives for sid:230


It's probably best to get a copy of shaft and see if it has any difficult to

change characteristics.  Recompiling to remove the sequence number problem
is 
probably a really simple change, while changing the communication messages
is 
probably more difficult.

We've added this to our bug queue over here at Sourcefire and will be
addressing 
this shortly.

It has been a long time since this was a prevelent DDoS client anyone happen
to 
have an archived pcap of this thing in action?

Cheers,
-matt

Brian King wrote:
> Eric,
> I have been getting tons of false positives for that signature as 
> well. What about using the TCP sequence number to identify it, since 
> it appears to be set at: 0x28374839 and/or the string "login" at the 
> start of the shaft session?  I would probably prefer the latter.
> 
> Something like this...(is the sequence number supposed to be hex for 
> this
> rule?)
> 
> alert tcp $HOME_NET 20432 -> $EXTERNAL_NET any (msg:"DDOS shaft client 
> to
> handler"; seq: 674711609; flow:established; reference:arachnids,254; 
> classtype:attempted-dos; sid:230; rev:2;)
> 
> Or
> 
> alert tcp $HOME_NET 20432 -> $EXTERNAL_NET any (msg:"DDOS shaft client 
> login to handler"; content: "login:"; flow:established; 
> reference:arachnids,254; classtype:attempted-dos; sid:230; rev:2;)
> 
> I chose to use the response from the handler, since that is relatively 
> known.  I don't have a packet dump to determine the offset, but I am 
> sure that could get rid of most of the false positives.
> 
> Brian
> 
> 
> 
> --__--__--
> 
> Message: 2
> Date: Tue, 18 May 2004 10:42:58 -0700
> To: snort-sigs at lists.sourceforge.net
> From: Eric Watkins <watkinse at ...2496...>
> Subject: [Snort-sigs] False positives for sid:230
> 
> Hello,
> 
> My system seems to generate quite a few false positives based on the 
> DDOS
> sig 230. After a bit, valid https traffic ends up on a high port and 
> triggers this sid.
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 20432 (msg:"DDOS shaft client 
> to
> handler"; flow:established; reference:arachnids,254; 
> classtype:attempted-dos; sid:230; rev:2;)
> 
> Looking here it appears there are some strings that could be triggered 
> on:
> http://security.royans.net/info/posts/bugtraq_ddos3.shtml
> 
> Is there some way to make this sid more specific to the actual traffic 
> data
> rather than just a port connection?
> 
> Thanks,
> 
> Eric
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up 
> now for SourceForge Broadband and get the fastest 6.0/768 connection 
> for only $19.95/mo for the first 3 months! 
> http://ads.osdn.com/?ad_id%62&alloc_ida84&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net 
> https://lists.sourceforge.net/lists/listinfo/snort-sigs



-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs





More information about the Snort-sigs mailing list