[Snort-sigs] Funky packets

James Lay jlay at ...3266...
Tue Mar 5 10:46:45 EST 2013


Hey All!

So...recently I got to packet capture first hand a rather extensive 2 
day (unsolicited) recon/router test.  Almost all of these packets were 
short on the TCP header:

  13 2013-03-01 18:05:33.218358000 x.x.x.x -> x.x.x.x TCP 74 0 > 0 [FIN, 
RST, ACK, URG, ECN, CWR, Reserved] Seq=1 Ack=1 Win=6667 Urg=0 Len=12
  15 2013-03-01 18:17:39.706664000 x.x.x.x -> x.x.x.x TCP 74 0 > 0 [FIN, 
SYN, PSH, ECN, CWR, NS, Reserved] Seq=3323674723 Win=6667[Malformed 
Packet]
  16 2013-03-01 18:20:15.162110000 x.x.x.x -> x.x.x.x TCP 74 0 > 0 [SYN, 
CWR, NS, Reserved] Seq=0 Win=6667, bogus TCP header length (12, must be 
at least 20)
  25 2013-03-01 19:49:34.199237000 x.x.x.x -> x.x.x.x TCP 74 0 > 0 [SYN, 
RST, ECN, NS, Reserved] Seq=0 Win=6667, bogus TCP header length (12, 
must be at least 20)
  26 2013-03-01 19:49:34.199244000 x.x.x.x -> x.x.x.x TCP 74 0 > 0 [SYN, 
RST, ECN, NS, Reserved] Seq=0 Win=6667, bogus TCP header length (12, 
must be at least 20)
  65 2013-03-02 00:00:15.431041000 x.x.x.x -> x.x.x.x TCP 74 0 > 0 [FIN, 
SYN, URG, ECN, Reserved] Seq=0 Win=5000, bogus TCP header length (8, 
must be at least 20)
  66 2013-03-02 00:00:15.431092000 x.x.x.x -> x.x.x.x TCP 74 0 > 0 [FIN, 
SYN, URG, ECN, Reserved] Seq=0 Win=5000, bogus TCP header length (8, 
must be at least 20)


these are just a few of the many I saw.  I've created the below (SYN + 
RST packets are my favorite) to see at least some of this:

alert tcp $EXTERNAL_NET 0 -> $HOME_NET 0 (msg:"SYN with RST packet"; 
flags:S,R; classtype:bad-unknown; sid:10000042; rev:1;)


Interestingly, of the 24 packets that have SYN and RST, this rule only 
fires on 3.  Both frag3 and stream5 have detect_anomalies set.  Anyone 
else have any funky packet rules they'd like to share?  Thanks!

James




More information about the Snort-sigs mailing list