[Snort-users] TFN2k signature?
vision at ...4...
Fri Oct 13 15:51:58 EDT 2000
At 10:33 AM 10/13/2000 +0100, Pete Philips wrote:
>I've been having a poke round the latest set of IDS rules (10102k)
>and notice there is a signature for TFN but not TFN2k. Has anyone
>written one or does the TFN rule also cover TFN2k?
arachNIDS now contains several descriptions for TFN2k. Be aware that the
UDP and TCP rules are not likely to be accurate, as each is based solely on
the packet contents (all UDP and TCP headers such as ports, flags, etc are
randomized by TFN2k)
TFN2k is substantially different than TFN. TFN2k is a very advanced DDOS
tool that features strong encryption and multiple levels of
obfuscation. The author specifically intended to thwart intrusion
detection, although Mixter later identified several weak spots in his paper
entitled "TFN3k" (those weaknesses being the trailing "A" padding and the
use of base64 encoding).
Snort can detect some of this traffic, but the signatures would be more
accurate if regular expressions we implemented to detect the base64 encoding.
More information about the Snort-users