[Snort-sigs] 1337 Bot and TCP options detection

joshua burgess avonyxx at ...12...
Wed Dec 28 11:26:17 EST 2016

Unfortunately setting the Flowbits isn't an option because I'm using McAfee NSM and their half baked interpretation of SNORT which doesn't support it.  As for my second rule can I create two different dsize variables to narrow the match down to inbetween two different packet sizes?

Sent from Outlook<http://aka.ms/weboutlook>
From: FOULDE Damien <damien.foulde at ...4205...>
Sent: Wednesday, December 28, 2016 11:01:15 AM
To: joshua burgess
Cc: snort-sigs at lists.sourceforge.net
Subject: RE: 1337 Bot and TCP options detection


To be able to match on the |01 03 03 07| content in the TCP header and then use the "flags" keyword you could split the rule and set a flowbit (http://blog.snort.org/2011/05/resolving-flowbit-dependancies.html) in a first snort ip rule and check this flowbit in a second snort tcp rule.



De : FOULDE Damien
Envoyé : mercredi 28 décembre 2016 15:23
À : 'joshua burgess'
Cc : snort-sigs at lists.sourceforge.net
Objet : RE: 1337 Bot and TCP options detection

Hello Joshua,

You may write an ip rule, not a tcp one, to be able to match on the |01 03 03 07| content in the TCP header.
However writing the snort rule through this way will prevent you to use the "flags" keyword reserved for the tcp rules.



De : joshua burgess [mailto:avonyxx at ...12...]
Envoyé : mercredi 28 décembre 2016 13:51
À : snort-sigs at lists.sourceforge.net<mailto:snort-sigs at ...1744...net>
Objet : [Snort-sigs] 1337 Bot and TCP options detection

To check a few boxes, I'm trying to gen up two signatures designed to detect the latest 1337 bot that Imperva wrote about (https://www.incapsula.com/blog/650gbps-ddos-attack-leet-botnet.html)

Basically I'm trying to write a signature designed to detect the TCP options which spell out 1337 as well as an abnormally large SYN packet ranging from 799 to 936.

I don't know SNORT supports my specifying the TCP options like:

Number: No-Operation (NOP) (1)

Kind: Window Scale (3)

Length: (3)

Shift count: (7)

Could I do it with"content" only, it doesn't seem likely but I'm running out of ideas...

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"1337 DDoS Tool"; flags:S; content:"Number: No-Operation (NOP) (1)"; content:"Kind: Window Scale (3)"; content:"Length: (3)"; content:"Shift count: (7)"; reference:url,https://www.incapsula.com/blog/650gbps-ddos-attack-leet-botnet.html; classtype:attempted-dos; sid:6000049; rev:1;)

As far as writing a signature to look for just the SYN packet size would this work to set two different sizes?

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"1337 DDoS Tool"; flags:S; dsize:>799; dsize:<936; reference:url,https://www.incapsula.com/blog/650gbps-ddos-attack-leet-botnet.html; classtype:attempted-dos; sid:6000049; rev:1;)

Any help would be awesome. Thanks!

Sent from Outlook<http://aka.ms/weboutlook>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20161228/9f31f44c/attachment.html>

More information about the Snort-sigs mailing list