[Snort-users] TFN2k signature?

Max Vision vision at ...4...
Fri Oct 13 15:51:58 EDT 2000

At 10:33 AM 10/13/2000 +0100, Pete Philips wrote:
>I've been having a poke round the latest set of IDS rules (10102k)
>and notice there is a signature for TFN but not TFN2k. Has anyone
>written one or does the TFN rule also cover TFN2k?

arachNIDS now contains several descriptions for TFN2k.  Be aware that the 
UDP and TCP rules are not likely to be accurate, as each is based solely on 
the packet contents (all UDP and TCP headers such as ports, flags, etc are 
randomized by TFN2k)

  http://whitehats.com/IDS/425 (icmp)
  http://whitehats.com/IDS/426 (udp)
  http://whitehats.com/IDS/427 (tcp)

TFN2k is substantially different than TFN.  TFN2k is a very advanced DDOS 
tool that features strong encryption and multiple levels of 
obfuscation.  The author specifically intended to thwart intrusion 
detection, although Mixter later identified several weak spots in his paper 
entitled "TFN3k" (those weaknesses being the trailing "A" padding and the 
use of base64 encoding).

Snort can detect some of this traffic, but the signatures would be more 
accurate if regular expressions we implemented to detect the base64 encoding.


More information about the Snort-users mailing list