[Snort-sigs] 1337 Bot and TCP options detection

joshua burgess avonyxx at ...12...
Wed Dec 28 07:51:08 EST 2016


To check a few boxes, I'm trying to gen up two signatures designed to detect the latest 1337 bot that Imperva wrote about (https://www.incapsula.com/blog/650gbps-ddos-attack-leet-botnet.html)


Basically I'm trying to write a signature designed to detect the TCP options which spell out 1337 as well as an abnormally large SYN packet ranging from 799 to 936.


I don't know SNORT supports my specifying the TCP options like:

Number: No-Operation (NOP) (1)

Kind: Window Scale (3)

Length: (3)

Shift count: (7)


Could I do it with"content" only, it doesn't seem likely but I'm running out of ideas...

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"1337 DDoS Tool"; flags:S; content:"Number: No-Operation (NOP) (1)"; content:"Kind: Window Scale (3)"; content:"Length: (3)"; content:"Shift count: (7)"; reference:url,https://www.incapsula.com/blog/650gbps-ddos-attack-leet-botnet.html; classtype:attempted-dos; sid:6000049; rev:1;)


As far as writing a signature to look for just the SYN packet size would this work to set two different sizes?

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"1337 DDoS Tool"; flags:S; dsize:>799; dsize:<936; reference:url,https://www.incapsula.com/blog/650gbps-ddos-attack-leet-botnet.html; classtype:attempted-dos; sid:6000049; rev:1;)


Any help would be awesome. Thanks!


Sent from Outlook<http://aka.ms/weboutlook>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20161228/41f7b145/attachment.html>


More information about the Snort-sigs mailing list