[Snort-sigs] custom signature based on the following tcpdump output

Joel Esler joel.esler at ...435...
Thu Sep 28 17:39:23 EDT 2006


What are you trying to detect, I guess, would be my question.

J


On Thu, Sep 28, 2006 at 01:50:26PM -0700, Agent Smith apparently sent me:
> I used 
> 
> tcpdump -n -i eth1 port 445 -X -s 4096 to capture the
> following. we have a infected host doing massive
> tcp/445 outbound and I'd like to know about these
> things with snort box we have.
> 
> I've written custom sigs. before but this one is odd.
> 
> Anyone?
> 
> 13:42:13.547549 10.10.100.72.3399 >
> 86.245.29.77.microsoft-ds: S 2515211076:2515211076(0)
> win 64240 <mss 1460,nop,nop,sackOK> (DF)
> 0x0000   4500 0030 2e6a 4000 7d06 ecc9 0a0a 6448      
>  E..0.j at ...180...}.....dH
> 0x0010   56f5 1d4d 0d47 01bd 95eb 1344 0000 0000      
>  V..M.G.....D....
> 0x0020   7002 faf0 ed66 0000 0204 05b4 0101 0402      
>  p....f..........
> 13:42:13.547558 10.10.100.72.3400 >
> 140.36.4.8.microsoft-ds: S 2515255340:2515255340(0)
> win 64240 <mss 1460,nop,nop,sackOK> (DF)
> 0x0000   4500 0030 2e6b 4000 7d06 d0de 0a0a 6448      
>  E..0.k at ...180...}.....dH
> 0x0010   8c24 0408 0d48 01bd 95eb c02c 0000 0000      
>  .$...H.....,....
> 0x0020   7002 faf0 2493 0000 0204 05b4 0101 0402      
>  p...$...........
> 13:42:13.573026 10.10.100.72.3453 >
> 0.24.235.80.microsoft-ds: S 2518238052:2518238052(0)
> win 64240 <mss 1460,nop,nop,sackOK> (DF)
> 0x0000   4500 0030 2e6c 4000 7d06 75a1 0a0a 6448      
>  E..0.l at ...180...}.u...dH
> 0x0010   0018 eb50 0d7d 01bd 9619 4364 0000 0000      
>  ...P.}....Cd....
> 0x0020   7002 faf0 45bc 0000 0204 05b4 0101 0402      
>  p...E...........
> 13:42:13.585730 10.10.100.72.3454 >
> 162.80.10.36.microsoft-ds: S 2518293251:2518293251(0)
> win 64240 <mss 1460,nop,nop,sackOK> (DF)
> 0x0000   4500 0030 2e6d 4000 7d06 b494 0a0a 6448      
>  E..0.m at ...180...}.....dH
> 0x0010   a250 0a24 0d7e 01bd 961a 1b03 0000 0000      
>  .P.$.~..........
> 0x0020   7002 faf0 ad0f 0000 0204 05b4 0101 0402      
>  p...............
> 13:42:13.710749 10.10.100.72.3457 >
> 11.243.33.109.microsoft-ds: S 2518420341:2518420341(0)
> win 64240 <mss 1460,nop,nop,sackOK> (DF)
> 0x0000   4500 0030 2e6f 4000 7d06 33a7 0a0a 6448      
>  E..0.o at ...180...}.3...dH
> 0x0010   0bf3 216d 0d81 01bd 961c 0b75 0000 0000      
>  ..!m.......u....
> 0x0020   7002 faf0 3bad 0000 0204 05b4 0101 0402      
>  p...;...........
> 13:42:13.949891 10.10.100.72.3401 >
> 26.130.248.92.microsoft-ds: S 2515409107:2515409107(0)
> win 64240 <mss 1460,nop,nop,sackOK> (DF)
> 0x0000   4500 0030 2e70 4000 7d06 4e27 0a0a 6448      
>  E..0.p at ...180...}.N'..dH
> 0x0010   1a82 f85c 0d49 01bd 95ee 18d3 0000 0000      
>  ...\.I..........
> 0x0020   7002 faf0 4936 0000 0204 05b4 0101 0402      
>  p...I6..........
> 13:42:14.053393 10.10.100.72.3402 >
> 146.4.123.95.microsoft-ds: S 2515488633:2515488633(0)
> win 64240 <mss 1460,nop,nop,sackOK> (DF)
> 0x0000   4500 0030 2e71 4000 7d06 53a1 0a0a 6448      
>  E..0.q at ...180...}.S...dH
> 0x0010   9204 7b5f 0d4a 01bd 95ef 4f79 0000 0000      
>  ..{_.J....Oy....
> 0x0020   7002 faf0 1809 0000 0204 05b4 0101 0402      
>  p...............
> 13:42:14.053402 10.10.100.72.3404 >
> 129.19.63.224.microsoft-ds: S 2515527676:2515527676(0)
> win 64240 <mss 1460,nop,nop,sackOK> (DF)
> 0x0000   4500 0030 2e72 4000 7d06 a010 0a0a 6448      
>  E..0.r at ...180...}.....dH
> 0x0010   8113 3fe0 0d4c 01bd 95ef e7fc 0000 0000      
>  ..?..L..........
> 0x0020   7002 faf0 cbf3 0000 0204 05b4 0101 0402      
>  p...............
> 13:42:14.053407 10.10.100.72.3405 >
> 6.15.132.180.microsoft-ds: S 2515571125:2515571125(0)
> win 64240 <mss 1460,nop,nop,sackOK> (DF)
> 0x0000   4500 0030 2e73 4000 7d06 d63f 0a0a 6448      
>  E..0.s at ...180...}..?..dH
> 0x0010   060f 84b4 0d4d 01bd 95f0 91b5 0000 0000      
>  .....M..........
> 0x0020   7002 faf0 5869 0000 0204 05b4 0101 0402      
>  p...Xi..........
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
> 
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys -- and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 




+---------------------------------------------------------------------+
joel esler          senior security consultant         1-706-627-2101
Sourcefire    Security for the /Real/ World -- http://www.sourcefire.com
       Snort - Open Source Network IPS/IDS -- http://www.snort.org
         gpg key: http://demo.sourcefire.com/jesler.pgp.key
           aim:eslerjoel  ymsg:eslerjoel gtalk:eslerj
+---------------------------------------------------------------------+




More information about the Snort-sigs mailing list