[Snort-sigs] custom signature based on the following tcpdump output

Jamie Riden jamesr at ...3216...
Wed Oct 4 17:52:20 EDT 2006


On 29/09/06, Jamie Riden <jamesr at ...3216...> wrote:
[sorry if this arrives twice - sourceforge claimed it was
non-deliverable as gmail wasn't playing nice with it's callback
mechanism]

On 29/09/06, Agent Smith <news8080 at ...144...> wrote:
> I used
>
> tcpdump -n -i eth1 port 445 -X -s 4096 to capture the
> following. we have a infected host doing massive
> tcp/445 outbound and I'd like to know about these
> things with snort box we have.
>
> I've written custom sigs. before but this one is odd.
>
> Anyone?
>
> 13:42:13.547549 10.10.100.72.3399 > 86.245.29.77.microsoft-ds: S  515211076:2515211076(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
> 0x0000   4500 0030 2e6a 4000 7d06 ecc9 0a0a 6448 E..0.j at ...180...}.....dH
> 0x0010   56f5 1d4d 0d47 01bd 95eb 1344 0000 0000 V..M.G.....D....
> 0x0020   7002 faf0 ed66 0000 0204 05b4 0101 0402 p....f..........

OK, it's too early, but here goes.

These are only SYN packets aren't they? Don't you need something which
has completed the TCP handshake before you can write a signature for
it?

What if you get a box, something like http://nepenthes.mwcollect.org/
maybe, to reply to the SYN? That should you get you more info, maybe
even a malware binary.

Have you seen any IRC traffic from this machine?

cheers,
 Jamie
-- 
Jamie Riden, CISSP / jamesr at ...3216... / jamie.riden at ...2420...
NZ Honeynet project - http://www.nz-honeynet.org/




More information about the Snort-sigs mailing list