[Snort-sigs] custom signature based on the following tcpdump output

Agent Smith news8080 at ...144...
Thu Sep 28 16:50:26 EDT 2006


I used 

tcpdump -n -i eth1 port 445 -X -s 4096 to capture the
following. we have a infected host doing massive
tcp/445 outbound and I'd like to know about these
things with snort box we have.

I've written custom sigs. before but this one is odd.

Anyone?

13:42:13.547549 10.10.100.72.3399 >
86.245.29.77.microsoft-ds: S 2515211076:2515211076(0)
win 64240 <mss 1460,nop,nop,sackOK> (DF)
0x0000   4500 0030 2e6a 4000 7d06 ecc9 0a0a 6448      
 E..0.j at ...180...}.....dH
0x0010   56f5 1d4d 0d47 01bd 95eb 1344 0000 0000      
 V..M.G.....D....
0x0020   7002 faf0 ed66 0000 0204 05b4 0101 0402      
 p....f..........
13:42:13.547558 10.10.100.72.3400 >
140.36.4.8.microsoft-ds: S 2515255340:2515255340(0)
win 64240 <mss 1460,nop,nop,sackOK> (DF)
0x0000   4500 0030 2e6b 4000 7d06 d0de 0a0a 6448      
 E..0.k at ...180...}.....dH
0x0010   8c24 0408 0d48 01bd 95eb c02c 0000 0000      
 .$...H.....,....
0x0020   7002 faf0 2493 0000 0204 05b4 0101 0402      
 p...$...........
13:42:13.573026 10.10.100.72.3453 >
0.24.235.80.microsoft-ds: S 2518238052:2518238052(0)
win 64240 <mss 1460,nop,nop,sackOK> (DF)
0x0000   4500 0030 2e6c 4000 7d06 75a1 0a0a 6448      
 E..0.l at ...180...}.u...dH
0x0010   0018 eb50 0d7d 01bd 9619 4364 0000 0000      
 ...P.}....Cd....
0x0020   7002 faf0 45bc 0000 0204 05b4 0101 0402      
 p...E...........
13:42:13.585730 10.10.100.72.3454 >
162.80.10.36.microsoft-ds: S 2518293251:2518293251(0)
win 64240 <mss 1460,nop,nop,sackOK> (DF)
0x0000   4500 0030 2e6d 4000 7d06 b494 0a0a 6448      
 E..0.m at ...180...}.....dH
0x0010   a250 0a24 0d7e 01bd 961a 1b03 0000 0000      
 .P.$.~..........
0x0020   7002 faf0 ad0f 0000 0204 05b4 0101 0402      
 p...............
13:42:13.710749 10.10.100.72.3457 >
11.243.33.109.microsoft-ds: S 2518420341:2518420341(0)
win 64240 <mss 1460,nop,nop,sackOK> (DF)
0x0000   4500 0030 2e6f 4000 7d06 33a7 0a0a 6448      
 E..0.o at ...180...}.3...dH
0x0010   0bf3 216d 0d81 01bd 961c 0b75 0000 0000      
 ..!m.......u....
0x0020   7002 faf0 3bad 0000 0204 05b4 0101 0402      
 p...;...........
13:42:13.949891 10.10.100.72.3401 >
26.130.248.92.microsoft-ds: S 2515409107:2515409107(0)
win 64240 <mss 1460,nop,nop,sackOK> (DF)
0x0000   4500 0030 2e70 4000 7d06 4e27 0a0a 6448      
 E..0.p at ...180...}.N'..dH
0x0010   1a82 f85c 0d49 01bd 95ee 18d3 0000 0000      
 ...\.I..........
0x0020   7002 faf0 4936 0000 0204 05b4 0101 0402      
 p...I6..........
13:42:14.053393 10.10.100.72.3402 >
146.4.123.95.microsoft-ds: S 2515488633:2515488633(0)
win 64240 <mss 1460,nop,nop,sackOK> (DF)
0x0000   4500 0030 2e71 4000 7d06 53a1 0a0a 6448      
 E..0.q at ...180...}.S...dH
0x0010   9204 7b5f 0d4a 01bd 95ef 4f79 0000 0000      
 ..{_.J....Oy....
0x0020   7002 faf0 1809 0000 0204 05b4 0101 0402      
 p...............
13:42:14.053402 10.10.100.72.3404 >
129.19.63.224.microsoft-ds: S 2515527676:2515527676(0)
win 64240 <mss 1460,nop,nop,sackOK> (DF)
0x0000   4500 0030 2e72 4000 7d06 a010 0a0a 6448      
 E..0.r at ...180...}.....dH
0x0010   8113 3fe0 0d4c 01bd 95ef e7fc 0000 0000      
 ..?..L..........
0x0020   7002 faf0 cbf3 0000 0204 05b4 0101 0402      
 p...............
13:42:14.053407 10.10.100.72.3405 >
6.15.132.180.microsoft-ds: S 2515571125:2515571125(0)
win 64240 <mss 1460,nop,nop,sackOK> (DF)
0x0000   4500 0030 2e73 4000 7d06 d63f 0a0a 6448      
 E..0.s at ...180...}..?..dH
0x0010   060f 84b4 0d4d 01bd 95f0 91b5 0000 0000      
 .....M..........
0x0020   7002 faf0 5869 0000 0204 05b4 0101 0402      
 p...Xi..........


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 




More information about the Snort-sigs mailing list