[Snort-sigs] 1337 Bot and TCP options detection

joshua burgess avonyxx at ...12...
Tue Jan 3 11:58:25 EST 2017


Sorry to resurrect this older thread...


Would this work?

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"1337 DDoS Tool"; content:"|01 03 03 07|"; flowbits:set,1337; reference:url,https://www.incapsula.com/blog/650gbps-ddos-attack-leet-botnet.html; classtype:attempted-dos; sid:X; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"1337 DDoS Tool"; flowbits:isset,1337; flags:S; dsize:799<>936;  reference:url,https://www.incapsula.com/blog/650gbps-ddos-attack-leet-botnet.html; classtype:attempted-dos; sid:X; rev:1;)



Sent from Outlook<http://aka.ms/weboutlook>
________________________________
From: FOULDE Damien <damien.foulde at ...4205...>
Sent: Wednesday, December 28, 2016 9:23:21 AM
To: joshua burgess
Cc: snort-sigs at lists.sourceforge.net
Subject: RE: 1337 Bot and TCP options detection

Hello Joshua,

You may write an ip rule, not a tcp one, to be able to match on the |01 03 03 07| content in the TCP header.
However writing the snort rule through this way will prevent you to use the "flags" keyword reserved for the tcp rules.

Regards,

Damien

De : joshua burgess [mailto:avonyxx at ...12...]
Envoyé : mercredi 28 décembre 2016 13:51
À : snort-sigs at lists.sourceforge.net
Objet : [Snort-sigs] 1337 Bot and TCP options detection


To check a few boxes, I'm trying to gen up two signatures designed to detect the latest 1337 bot that Imperva wrote about (https://www.incapsula.com/blog/650gbps-ddos-attack-leet-botnet.html)



Basically I'm trying to write a signature designed to detect the TCP options which spell out 1337 as well as an abnormally large SYN packet ranging from 799 to 936.



I don't know SNORT supports my specifying the TCP options like:

Number: No-Operation (NOP) (1)

Kind: Window Scale (3)

Length: (3)

Shift count: (7)



Could I do it with"content" only, it doesn't seem likely but I'm running out of ideas...

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"1337 DDoS Tool"; flags:S; content:"Number: No-Operation (NOP) (1)"; content:"Kind: Window Scale (3)"; content:"Length: (3)"; content:"Shift count: (7)"; reference:url,https://www.incapsula.com/blog/650gbps-ddos-attack-leet-botnet.html; classtype:attempted-dos; sid:6000049; rev:1;)


As far as writing a signature to look for just the SYN packet size would this work to set two different sizes?

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"1337 DDoS Tool"; flags:S; dsize:>799; dsize:<936; reference:url,https://www.incapsula.com/blog/650gbps-ddos-attack-leet-botnet.html; classtype:attempted-dos; sid:6000049; rev:1;)



Any help would be awesome. Thanks!


Sent from Outlook<http://aka.ms/weboutlook>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170103/67387fef/attachment.html>


More information about the Snort-sigs mailing list