[Snort-users] Urgent!! ddos-stacheldraht server-spoof

Max Vision vision at ...4...
Fri Mar 30 22:45:59 EST 2001


Ouch, that's painful, not only that, but I just saw that the source ip
address is supposed to be a fixed value (3.3.3.3) but somehow got changed
back to "any".

This rule is now repaired.  Sorry for any inconvenience... you should grab
the new ruleset.

Max

On Sat, 31 Mar 2001, Siddhartha Jain wrote:

> Hi,
>
> I got 302 "ddos-stacheldraht server-spoof" alerts from 235 unique IPs to 4
> destination IPs in 3 days. Is every alert one packet containing the attack
> signature? Does this look like the beginning of a real ddos? This is typical
> packet triggering the alert :-
>
> [**] IDS193/ddos-stacheldraht server-spoof [**]
> 03/30-21:10:18.123939 0:3:31:BA:A8:A8 -> 0:A0:C9:FC:2D:7C type:0x800
> len:0x3C
> ss.ss.ss.ss -> dd.dd.dd.dd ICMP TTL:238 TOS:0x0 ID:16641 IpLen:20 DgmLen:32
> DF
> Type:8  Code:0  ID:666   Seq:1  ECHO
> ????
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> ----------snip --------------------
>
>
> Siddhartha
>
>
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list