[Snort-users] Shaft?

John Sage jsage at ...2022...
Sun Aug 25 11:06:02 EDT 2002


J Craig:

In a word, Yes.

That same source IP, same date, same source port 13000, as well.

There was a thread of about 6 posts regarding this specific probe,
from this specific source IP, on the intrusions at ...2034... list.

Here was mine:


< begin post >

A rare bird:

Date: Wed, 21 Aug 2002 21:29:20 -0700
Subject: ACID Incident Report
Generated by ACID v0.9.6b21 on Wed August 21, 2002 21:29:19

------------------------------------------------------------------------------
#(116 - 122) [2002-08-21 09:37:16] [arachNIDS/252-253]  DDOS shaft synflood
IPv4: 195.27.218.62 -> 12.82.128.178
      hlen=5 TOS=0 dlen=40 ID=39977 flags=0 offset=0 TTL=16 chksum=42056
TCP:  port=13000 -> dport: 13000  flags=******S* seq=674711609
      ack=647068936 off=5 res=0 win=8768 urp=61171 chksum=64181
Payload: none
------------------------------------------------------------------------------

snort:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/21-09:37:16.080331 195.27.218.62:13000 -> 12.82.128.178:13000
TCP TTL:16 TOS:0x0 ID:39977 IpLen:20 DgmLen:40 DF
******S* Seq: 0x28374839  Ack: 0x26917D08  Win: 0x2240  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Snort processed 1 packets.
Breakdown by protocol:               
Action Stats: 
    TCP: 1        (100.000%)          ALERTS: 0        
    UDP: 0          (0.000%)          LOGGED: 0        
   ICMP: 0          (0.000%)          PASSED: 0        
    ARP: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 0          (0.000%)
===============================================================================


[toot at ...2057... /usr/local/2]# ./2.pl hd 28374839
674711609


The relevant snort 1.8.7 rule:

[toot at ...2057... /usr/local/snort-1.8.7]# grep shaft *.rules
ddos.rules: alert tcp $HOME_NET any <> $EXTERNAL_NET any
 (msg:"DDOS shaft synflood"; flags: S; seq: 674711609;
 reference:arachnids,253; classtype:attempted-dos; sid:241; rev:2;)


Note that the rule is bidirectional; ArachNIDS 252 is the best
candidate here, as this packet was incoming...

Ref: http://www.whitehats.com/info/IDS252

< end post >


HTH..

- John

-- 
"In those days, you could not buy a $2000 200MHz Pentium server."

PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705



On Fri, Aug 23, 2002 at 09:19:18PM -0500, J. Craig Woods wrote:
> No, not the movie. The trojan. I was wondering if anyone on the list has
> run into the log entry:
> 
> Aug 21 16:32:47 lincoln snort: [1:241:2] DDOS shaft synflood
> [Classification: Attempted Denial of Service] [Priority: 2]: {TCP}
> 195.27.218.62:13000 -> X.X.X.X:13000
> Aug 22 04:39:18 lincoln snort: [1:241:2] DDOS shaft synflood
> [Classification: Attempted Denial of Service] [Priority: 2]: {TCP}
> 195.27.218.62:6000 -> X.X.X.X:6000
> 
> I have left in the source ip because it is important in understanding
> this alert. A simple whois will show this ip to be in the RIPE netblock.
> It also has no reverse dns configured. Yes, it might very well be
> spoofed or a false positive. 
> 
> I have checked out all of my security on my server, and things look
> intact, and I can not find any penetration. I was hoping someone might
> have some thoughts on this alert or maybe you can point me in the right
> direction. Of course, neither of these ports are open to the internet. I
> have ipchains logging for attempts on port 6000(X), and it clearly shows
> a DENY on that one. No logging on 13000 but it is filtered (strange port
> to be probing, yes?)
> 
> Thanks for any assistance,
> drjung
> 
> -- 
> J. Craig Woods
> UNIX Network/System Administration
> http://www.trismegistus.net/resume.html
> Character is built upon the debris of despair --Emerson




More information about the Snort-users mailing list